Strange Bedfellows

We keep track of a lot of websites at SophosLabs, but one in particular has kept me interested for a few months now. It starts off with a variation on a theme we’ve seen before – malicious 404 pages.

Fake 404

One thing you might notice is that the page title claims to be a 403 “permission denied” page, and the text starts to confirm that, before changing tacks by saying “404 not found”. But you might also see that it’s tried to run a script as well – this is clearly not your common or garden 404 page, which is why we detect them as Troj/Forro-Gen.

Depending on which script the site serves to you, your browser loads code from one of a number of other scripts. These are pretty heavily obfuscated, and change repeatedly – until recently they had legitimate-looking keywords scattered through them and we detected them as Mal/ObfJS-AC, but now they just look like encrypted data, detected as Mal/ObfJS-AM. Each script tries to exploit a different software vulnerability, with the aim of loading and executing a file detected as Troj/Tipiki-Gen.

But that isn’t the end of the chain, oh no.

This file is only a downloader, fetching a list of executables as determined by a configuration file which changes according to where you are when you fetch it. From Vancouver, the file starts “CA”, from Boston it starts “US”, from Oxford “UK” … well, you get the idea, and the long list of files usually between 10 and 20) changes too, giving you malware that it thinks is most appropriate to target your region.

But here’s the kicker – the malware we usually see is not only of different families, it belongs to rival gangs. On the same server we find samples of Dorf (aka Storm), Pushdo, Mal/EncPk-CK (associated with the Kraken botnet), and various others. And these files are all hot off the press – files that we find here are often seen in campaigns starting hours later.

The owners of botnets don’t work together like this, so unless there’s a criminal overlord masterminding them all (unlikely, we’re not living in a Blofeld age) then I can only assume that some middlemen are hiring themselves out to a number of competing nefarious groups, behind each others’ backs of course, in order to distribute their malware – I wouldn’t like to be in their shoes when their bosses all work it out.