eSafe AID – the Attack Intelligence Datacenter has recently discovered a new massive Web attack, operated by RBN, in which an exploit code is being injected on compromised legitimate websites. The injected obfuscated malicious script points to a remote obfuscated hidden IFrame that leads to another obfuscated exploit. The last chain of this multistage Web attack includes Adobe PDF and Windows media encoder exploit variants.

The attack stages:

The first obfuscated exploit code has a low detection rate by Anti-virus vendors. eSafe detects the exploit as JS.Agent.au

The obfuscated exploit code:
 

Virus Total results:
 
 

The attack stages in brief:

1. A user visits a legitimate hacked website where an obfuscated script leads to other hacked websites.
2. The second stage hacked websites, located in Ukraine, contain obfuscated hidden IFrames that lead to the hacker’s server.
3. The obfuscated exploit code on the hacker sever contains Adobe PDF and Windows media encoder exploit variants.
4. Affected systems are automatically joined to a bot controller located in Luxemburg.

Tracking the footprints of these domains leads to the infamous RBN (hosting illegal sites, DDos attacks, Hacking, and pornography).

Since the beginning of the Israeli military campaign in the Gaza Strip, thousands of Israeli websites have come under cyber-attacks carried out by hacking groups operating out of Morocco, Lebanon, Turkey, and Iran.

A Moroccan Islamic group hacked into the registration system server of domainthenet.com on last Friday, and the main pages of more than 300 Israeli Web sites were defaced. The group hijacked the domains of major Israeli websites including Israeli Bank Discount, a website for weather forecast and the Israeli Ynet News, a popular Israeli news website. Visitors of the hijacked domains were rerouted to websites featuring images of the casualties of the ongoing Israeli offensive against Gaza, and with anti-Israeli and anti-U.S. messages.

Ynet reported that the hackers obtained a password which granted them access to the server, “which updates and 'translates' the websites' IP addresses into a Domain Name Service; and change the IP's numeral values, effectively rerouting users away from the original websites”. Ynet added also that the hackers did not hack into the actual websites but redirected the users to a “hostile” website, while other hackers managed to access original websites.

It has been also reported that another popular Israeli news website called “debka.co.il” is down due to a cyber attack.

And here comes the cyber response from the Israeli side – a group of Israelis students has built a website which allows any user, even non-technically oriented ones, to attack Hamas websites. The group define itself as “a group of students who are tired of sitting around doing nothing while the citizens of Sderot and the cities around the Gaza Strip are suffering, NO MORE!”. The group says that they “created a project that unites the computer capabilities of many people around the world. Our goal is to use this power in order to disrupt our enemy's efforts to destroy the state of Israel”.

The attack could be performed by downloading a file which launches DoS attacks – the file recurrently refers to the servers on which the Hamas websites are hosted, and the large number of requests will overburden the servers. In cases where the attacked server is no longer able to handle all the requests, the hosted websites will be unavailable. The file is obviously blocked by eSafe due to its malicious nature.

This outbreak of cyber-attacks is typical of the emerging trend of cyberwar. Last year’s Russian-Georgian cyberwar showed how political tensions are usually followed by or preceded by cyber-attacks on targets affiliated with the opposing side.

In the line of our ongoing “education”, we all know by now that eCrime is no longer lurking right there waiting for victims to come knocking, but is rather working vigilantly to ensure that whatever picks up the most interest online at any given moment is being used to boost the profitability of eCrime.

Having said that, starting to look for online shopping sites and figuring out what’s the best Christmas e-tailer to hit on was a bit too much of a hard work. The target picked for this season’s eCrime heist was a payment provider nonetheless. Checkfree.com had their DNS records hacked in an attempt by eCriminals to catch onto the beginning of the month bill payments. Customers trying to use the Checkfree service have been redirected to a server hosted in Ukraine which presented them with a blank page and attempted to exploit their browsers and install a Trojan into their systems.

Just like in any other seasonal event (1, 2), we were all expecting the Christmas shopping season to be littered with eCrime attacks (and we are still seeing a rise in the number of threats related to online shopping sites), but this one is really a step up in the level of audacity exhibited by cybercriminals.

After using Geocities as its main redirection point, Koobface worm is now taking advantage of Google’s Blogger to redirect Facebook users to malware websites.

In this latest attack, the worm sends messages to Facebook users urging them to watch a video which appears to be on Blogger. Victims of this attack will end up infecting their system with the latest Koobface worm from a fake YouTube website. In order to randomly create Blogger accounts to be used for the redirections to the malicious domains, this Koobface variant requires a little help from you, to read CAPTCHAs.

This attack uses tempting messages such as “You look so fine in this video”; here is how the messages may look like:

If the user complies with this message and clicks the proposed blogpost.com link, he will get redirected to a fake YouTube website. The fake YouTube will require the user to install an alleged “Adobe Flash Player Installer” (Flash_Update.exe) in order to be able to watch the video. Executing Flash_Update.exe will infect the system with Koobface worm.

The following details explain how this attack works:
Flash_Update.exe downloads a couple of executables: google_reg.exe and captcha.exe from aibcvienna.org, which appears to be a legitimate website compromised by the hackers, into the affected system. It’s important to note that the domain also includes other executables tailored for hi5 and Myspace users.

The file google_reg.exe attempts to create new Google accounts, where it needs the help of humans in reading the CAPTCHA. It uploads the CAPTCHA image to a server and waits for captcha.exe to download it. The captcha.exe drops a file named captcha5.dll into the Program Files directory and runs it using rundll32.exe, a system file used for executing .dll files. The dropped dll file displays a shutdown window which freezes the system and threatens the user to enter the characters seen in an image before a 3 minutes countdown timer ends. The image is in fact the CAPTCHA that google_reg.exe is waiting for to be deciphered by the victim.

Once entered, the characters will be sent back to the server where google_reg.exe is waiting for them to finish creating the blogspot.com account for later use of attacking other Facebook users.

As promised, the AIRC Threat Report for November is out.

And as also promised, the link to McColo is revealed here – during the time when we were looking at the criminal server, we have had the opportunity to observe that someone is logged onto the server at the same time, and the connection came from… McColo. 

For those of you who are wondering – no, we did not “hack”, “infiltrate” or “break” into the server. Sometimes the simplest things let you see what’s behind the mirror (and legally).