Continued Sinowal activity

After one of my recent blog postings concerning the recent zero day IE vulnerability [1], I received a few questions and comments thanks to one of the comments I made:

Finally, and perhaps most worryingly, this type of advice feeds the “right now we have a problem, but as soon as the patch is available, we can relax” school of thought. Will the online world be significantly safer once this patch is available and widely deployed? Generally speaking, probably not.

The questions I received confirmed to me that this school of thought definitely exists. In this post, I will highlight one of the ongoing threats that justifies my statement – Sinowal (aka Mebroot) attacks.

I have posted several times before about Sinowal, highlighting:

• its use of the date in the algorithm to generate the domain to which compromised web pages will redirect.
• its use of Twitter trends JSON data as part of that algorithm.
• its use of payload(s).

The flow of a recent Sinowal attack is illustrated below (the identity of the legitimate, compromised .co.uk site is masked):

As you can see, the steps are:

• connect to the legitimate site, retrieving page and all other required content (including the regular Google Analytics scripts as the last item).
• connection to Twitter daily trends data. This request is driven from the Sinowal script injected into the page (blocked as JS/Sinowal-Gen and Mal/ObfJS-AG).
• connection to the attack site (Neosploit kit I believe). The malicious script is blocked by Sophos products as Mal/ObfJS-CM.
• the script loads a second script fragment, before finally loading a malicious PDF document (blocked as Troj/PDFJs-GE), as described previously.
• not included in this capture (Adobe Reader simply returned an error message) is the payload. If the Adobe exploit is successful, the payload is downloaded from the attack site.

Historically, the payload for Sinowal attacks was just Sinowal, but as noted previously, recently other payloads are being distributed in this way (including fake AV and Zbot).

I was curious to take a look at the distribution of the sites getting hit with Sinowal, given the historical European (in fact, Italian) bias. We continue to see large numbers of legitimate sites getting compromised with the malicious redirector scripts (Mal/ObfJS-AG or JS/Sinowal-Gen).

Looking at the data for Jan 1st-21st 2010, it is clear that hosting providers across the globe are getting hit:

In Europe there is still a strong grouping within Italy:

And for completeness, the distribution across North America and Canada: