Automatic Propagation of Malicious Code via HTTP

Well we know that the processes by automating the propagation of malware is one of the basic objectives of any cyber criminal, regardless of the attack vectors and technologies used.

In this sense, the Internet has become the cradle that rocked different parts alternatives through alternative malicious attack that evolves daily. Several years ago it was quite difficult to assume that by merely accessing a page is a danger of infection if certain requirements are met the system requirements that have to do primarily with operating system updates and applications.

Today, we find script’s whose instructions are made maliciously and are part of a cycle of spread and infection, unfortunately, very effective. A concrete example of not only evolution but also of effectiveness, it’s the art Drive-by-Download with his attacks evolved version of Multi-Stage, highly used by botmasters to propagate threats.

The following is an actual scenario that more clearly exemplifies what I have. This is a site hosted in EEUU under the IP 66.116.197.186 in AS32392. Below shows a screenshot of the website.

The domains hosted on that IP are:

• phonester.biz
• phonester.com
• phonester.info
• phonester.net
• phonester.org

When accessed from Windows, through a script embedded in HTML code, it automatically runs a window offering to download Flash Player. It’s obviously false. The file that is propagated is called “install_flash_player.exe” (abed2d16e5e4c3e369114d01dff4b19c) and has a low detection rate, as only about 25% of the antivirus engine detects malware that is In-the-Wild.

However, in a transparent way the script is run that prompts to download the fake Flash Player. Now … the issue doesn’t end here. From a more technical standpoint, there are many details that aren’t difficult to grasp.

In principle, desofuscar the script, get a series of relevant data. The script has iframe tags that address a range of websites from where you download other malicious files.

• diggstatistics.com/flash/pdf.php
• diggstatistics.com/flash/directshow.php
• diggstatistics.com/flash/exe.php

Download files are “tylda.exe” (abed2d16e5e4c3e369114d01dff4b19c) that has a low detection rate (5/41-12.20%) and “pdf.pdf” (9cc400edcdc5492482f5599d43b76c0c) with a detection rate too low (13/41-31.71 %) and designed to exploit vulnerabilities in Adobe Reader and Acrobat. Adobe util.printf overflow (CVE-2008-2992) and Adobe getIcon (CVE-2009-0927) respectively.

Moreover, in the unlikely event that the file is downloaded in the first instance (install_flash_player.exe) is executed, the connection set against 174.120.61.126/~ garynic/ from where you downloaded the binary “coin.exe” (258c0083f051b88ea36d3210eca18dd7) with a detection rate also quite poor. This file is downloaded at random from:

• digital-plr.com
• giggstatistics.com
• xebrasearch.com

With regard to the ASN in which these threats are, pose a criminal history interesting as it’s used to carry out activities such as spreading malware phishing. In the next image, the highest peak of phishing activities took place on 1 March 2009, while the malicious code was on 12 September 2009.

That is, these activities are operated together, not in isolation. This information doesn’t assume that the pattern behind all these criminal activities is hiding some botmaster greed, since the actions are typical of a botnet.

By Jorge Mieres from http://evilfingers.blogspot.com/