Sinowal delivery: date-driven redirection scripts

Recently, there have been a few reports of new Sinowal (aka Mebroot or StealthMBR) variants having been spotted in the wild [1,2]. We have been seeing this activity ourselves at SophosLabs. In this post I will highlight some interesting characteristics of the scripts that are being used for infecting victims with Sinowal in web attacks.

Of course, there is nothing novel or particularly exciting in malware authors injecting malicious code into legitimate sites in order to infect victims through drive-by attacks. However, what makes Sinowal’s approach slightly more interesting is the use of a date-driven domain generation algorithm within the injected, malicious script. (Ok, so not as “exciting” as that used by Conficker, but nonetheless, an interesting highlight amongst the plethora of other rather dross, static redirects used elsewhere in web attacks.)

The malicious scripts currently being used by Sinowal for redirection are being detected as Mal/ObfJS-AG. The malicious content is heavily obfuscated and unreadable, but sufficiently large to make it fairly easy for site admins to spot the rogue content within affected pages.

Obfuscated injected script (Mal/ObfJS-AG)

Once deobfuscated, it is simple to find the algorithm used to generate the target domain. Multiple variants have been seen, but the algorithms used are virtually identical. Modifying the scripts, it is easy to generate a list of the domains from which the script will load content on any given day.

Part of the domain generation algorithm used in Mal/ObfJS-AG
Part of the domain generation algorithm used in Mal/ObfJS-AG

For each of the variants investigated thus far, the algorithm used generates a new domain every few days (using just over 100 domains for entirety of 2009, for each variant).

Snapshot of generated domains used in Sinowal attacks
Generated domains used in Sinowal attacks

The content loaded from the generated domains consists of further malicious scripts (detected as Mal/ObfJS-AV). These proceed to infect the victim with the Sinowal dropper. Inspection of the MBR following infection reveals the infection (detected as Troj/Mbroot-E).

MBR after infection with Sinowal (Mebroot)
MBR after infection with Sinowal (Mebroot)

Game Over. A quick summary of the protection provided against such Sinowal infections is shown below.

  • Access to the domains Sinowal is using is prevented (for web appliance users)
  • The malicious redirection scripts injected into legitimate pages are being detected as Mal/ObfJS-AG
  • The malicious scripts used on the attack sites to infect the victim are being detected as Mal/ObfJS-AV
  • The Sinowal droppers are detected as Mal/Sinowa-A
  • The modified MBR is detected as Troj/Mbroot-E

Finally, it should be noted that a large number of the target domains being used by Sinowal appear to have been successfully “sinkholed” to help protect users from this nasty threat over coming months. This is obviously a good thing. However, it is a safe bet that the attacks will simply continue to evolve, evading such measures.