Bad Behav'iour

Filed Under: Malware, SophosLabs

A couple of weeks ago we blogged about how modern attacks involving multiple components can be thwarted at several links in the chain. The example used, was the infection mechanism used in MPack based attacks (MPack being the name of the package that can be purchased and used by the bad guys in constructing malicious drive-by sites). Since then, we have been monitoring these attacks quite closely. In this post, I will look at data obtained over the past 7 days for one particular flavour of attack.

As we have seen in several previous posts (1,2,3 for example), a large number of Web attacks use the same infection mechanism:

  • compromise of legitimate site and/or construction of specific drive-by site
  • loading of malicious content from remote site (via redirection steps sometimes)
  • malicious scripts exploit client side application/browser vulnerabilities to install malware

By recognizing a characteristic trait in the pages compromised in this particular attack we are able to follow it. Over 90% of the compromised sites found are running Apache, suggesting that the methods used for attack, are largely Apache-specific. Several hosting providers appear to have been hit - four of the servers serving up 15 to 30 domains each. The compromised sites are hosted mostly in the United States, with a smattering in Russia, and across Europe.

[Click to enlarge]

Despite many new, compromised domains being discovered each day, analysis of the target sites from where the malicious content is actually loaded, shows a much lower number (thankfully). This particular attack is only using approximately 20 sites to deliver the exploits (several of which are known to SophosLabs from previous 'misdemeanors', and have been blocked for a while in the WS1000 appliance). The bulk of these 20 sites are hosted on servers in the United States and Russia, with a couple in the Ukraine.

The script content served up from these remote sites has been changing regularly, but the malicious scripts are proactively detected as Mal/ObfJS-C and Mal/ObfJS-D. The usual suite of vulnerabilities (many old) are being used including MS03-011 ('ByteVerify'), MS06-057 ('SetSlice'), MS06-067 ('KeyFrame'), MS06-001 ('Windows MetaFile'), MS06-014 ('MDAC'), MS06-055 ('VML') and MS06-006 ('media plugin').

The payload of these attacks (the Win32 binaries installed) obviously varies. Several are data stealing Trojans, proactively detected as Mal/Behav-112 and Mal/Behav-116. SophosLabs will continue to monitor the relevant URLs to pick up any new, undetected samples. *

Clearly, attacks such as this will continue. There will be occasions when the bad guys 'strike gold' and compromise a large site, exposing potentially huge numbers of victims to malicious code. Even with relatively old vulnerabilities being used, there will be some users that are not patched, and get infected. Tracking such attacks, and all the components involved, particularly those which we do not detect, is very important. It helps us to improve our proactive detection capabilities in order to protect users against the next threat.

* In fact, between the last check, and the writing of this blog entry, one of the sites is now delivering a binary no longer proactively detected by Sophos Anti Virus 6 (and previous) products (file is being analysed now). However, Sophos Anti Virus 7 users are proactively protected - the file is detected as Sus/Dropper-A. Users can significantly bolster protection from these sort of attacks by enabling suspicious detection and buffer overflow features that are provided within Sophos Anti Virus 7.

You might like

About the author

Fraser is one of the Principal Virus Researchers in SophosLabs. He has been working for Sophos since 2006, and his main interest is in web related threats.