Troj/Unif-B – a hive of activity

Over the past few weeks we have noticed an increasing number of sites compromised with a malicious script we detect as Troj/Unif-B. Our automation systems dutifully process the data, extracting target URLs, downloading other content to ensure we block the necessary URLs and detect the appropriate malicious content. However, I have been meaning to dig further into this spate of attacks to uncover their purpose, and get a better idea of their coordination.

I decided to query our data for all records processed since March 1st 2008 (so approximately 4 weeks worth of data). The data reveals almost 11,000 pages compromised with Troj/Unif-B, split across approximately 4,500 different domains. That is a fair amount of activity, approximately 150 new domains each day (and this is just what we are seeing).

To get an impression of the purpose of the attacks, you need to delve further into the data. We can look at the ‘targets’ of the iframe that the malicious Troj/Unif-B script adds. For the 4,500 compromised domains, these targets fall into two categories:

  1. additional attack sites. Some other site which hits the victim with exploits.
  2. redirect or ‘control’ sites. Some other site, controlled by the attacker, which can be used to direct traffic (as discussed previously). Typically, these sites direct victims to one of several other attack sites (though there may be several redirects in use).

There a number of prominent attacks visible in the data:

  • ~30% use a renowned attack site for installing various malware including Mal/Dropper-T, Mal/EncPk-CM and Mal/EncPk-CO.
  • Tibs: over 10% are redirect sites under the control of a large and well coordinated group. Numerous domains have been used by this group in recent months to install a variety of Dorf, Tibs and other malware.
  • Zbot: almost 10% load exploits intended to install a member of the Mal/Zbot family.
  • Gpack: approximately 5% point to a single GPack attack site, which installs malware detected as Mal/Emogen-Y.

GPack is something recently talked about by Roger Thompson, on the Exploit Prevention Labs blog. Interestingly, of the domains we have identified that are compromised to point to the GPack attack site, 70% are hosted by the same ISP. The same is true for the some of the other attacks listed above – targeting server farms is an effective strategy for the attackers.

The grouping within the compromised pages is not surprising, it simply reflects the coordinated attacks that are taking place. Also not surprising (though perhaps less well known) are the relationships between some of the groups. This is particularly evident when you monitor certain redirect sites over time. As speculated previously, it is not unlikely that these sites could be used to make money by selling ‘traffic flow’ (attackers essentially paying for victims to be directed to their attack sites for a period of time).

From a protection standpoint, this sort of data is important. It lets us focus on the most important parts of the attack in order to provide the maximum protection to customers. As you can see from this recent Troj/Unif-B activity, the attack and control sites are the critical elements to identify. We are then able to block requests to the malicious URLs, and monitor the content they host to ensure we retain appropriate detection.