In this post I want to highlight one of the script injections we have been tracking for the past month or so, which is being used to redirect web traffic to exploit sites (running the Blackhole exploit kit). Two factors make this particular script injection worthy of discussion, namely:
- large scale attacks. Many legitimate sites have been hit in these attacks.
We first this redirect script at the start of June. Sophos products block infected pages as Mal/Iframe-AF, and since early June, the prevalence of this threat has risen to the top of our web threat stats (accounting for 30-50% of all web threat detections).
The script generates a random string based on the current date, changing the string every 12 hours. It is a pretty simplistic approach.
No such elegance here I am afraid. The best we have seen are some later variants of the code which prepend a string for a “random” colour.
The iframe that the script adds to the page is intended to point the browser to a TDS server the attackers control. One of the strings used in some of the iframe URLs is responsible for the ‘Runforestrun’ nickname that has been attached to this attack. *
Latter variants of the script use different strings, and they have started to use dynamic DNS services for the referenced target sites (a favourite trick we have seen Blackhole use aggressively).
The traffic will be bounced (via a HTTP 302) from the TDS to the exploit site (normally via a second TDS). To date the exploit site has typically been running Blackhole, where the usual array of Java, Flash and PDF exploits are used in order to infect the user.
The final payload users are infected with varies – we have seen these payloads ranging from backdoor Trojans and Zbot to ransomware.
Aside from the Mal/Iframe-AF detection of the initial script redirect, Sophos products block the rest of the components involved in the driveby download chain as follows:
- blacklisting of the TDS servers
- blacklisting of the exploit sites
- detection of the landing page and PDF, Java and Flash components used by Blackhole
The final word on this should probably some advice for site admins whose sites have been hit by this attack. As noted in the excellent blog I linked above, it is believed that a Plesk vulnerability was used to gain access to sites. So admins should ensure they update Plesk, and change ALL associated passwords.
* This is a reference to the “Run Forrest, Run!” line from the film Forrest Gump (spelling has never been the focus of malware authors).
Black hole in space image, courtesy of Shutterstock.