Writeup on nbc.com distributing Citadel malware

Every now and then, an incident occurs in the SOC (Security Operation Center) that really captures everyone involved’s imagination. NBC’s websites getting hacked, is just one case, in point. Image

At 16:43 CET, this afternoon we noticed that the NBC.com website links to the redkit exploit kit that is spreading Citadel malware, targeting US financials institutions. This version of Citadel is only recognizable by 3 out of the 46 antivirus programs on virustotal.com.

https://www.virustotal.com/en/file/96deefbe5034d826b2fe4796c32104badaa6c8df768da1059827ccac6ef2f9d8/analysis/1361464137/

It has been shown before (with Dutch news site nu.nl, for example, along with the recent incidents at the New York Times and Wall Street Journal), targeting media and news websites can vastly improve an attacker’s chances of success. Users presume these large organizations websites to be free from malware. If an attacker can gain access to these web servers, they can use them to distribute malware to every visitor of that web server.

Image

The flow of the attack looks like this:

An iframe (on nbc.com) loads a webpage that tries to download and execute a malicious JAR file as well as a malicious PDF.

hxxp://finesseindia.com/332.jar & hxxp://finesseindia.com/987.pdf

Many more different URLs have been used in the coming hours after the first sign of the attack was detected.

The Citadel malware distributed is configured to manipulate traffic to and from the banking sites of the following banks amongst others:

  • Wells Fargo
  • USAA
  • Citibank
  • Bank of America
  • TD Ameritrade
  • Suntrust
  • Navy Federal Credit Union
  • Citizensbank Online
  • Fifth Third Bank
  • PNC
  • Chase
  • Schwab
  • American Express

The malware was no longer served at 21:28 CET.

This isn’t the first time a major website is compromised and starts spreading malware, and we don’t presume its the last. Be wary.

Barry Weymes et al.

Credit to Yonathan Klijnsma and Lennart Haagsma for discovery.

Oracle getting serious about Java

Recently, Oracle released new a version of Java with a difference. Java/1.7.0_13 is the latest version. Its increased the default security from ‘Medium’ to ‘High’, which restricts execution of unsigned applets. It also introduced a new warning to people executing Java code which checks if Java is using the latest version. You might notice the process jusched.exe running on your Windows PC to do this check. The conclusion here is that Oracle is getting serious about keeping its users up to date.

JavaOne

The above notice will give the users three choices: Update, Block or Continue. ‘Update’ will stop the execution and bring the user to the Java website to download the latest and safest version. ‘Block’ will not allow Java from being executed now and in future. By pressing ‘Block’ the user  Pressing ‘Later’ button the java code will be executed.

JavaTwo

Why this updating matters? It matters because these days the majority of machines exploited are because of Java vulnerabilities. Exploit kits used to deliver a malicious payload to a victims computer are the form of a jar file (Java Archive). This usually happens when the victim visits a compromised website or opens a malicious email. A typical exploit kit has some malicious JavaScript that will test for vulnerable Java versions (amongst other things). Once the script has found the vulnerable version, it will automatically try to execute a malicious jar file to gain control of the machine. Some examples of successful exploitation that we have seen at the SOC recently:

  • hxxp://nika16.nazwa.pl/332.jar Java/1.6.0_14
  • hxxp://stp.softupcheck.info/28ce4a88eed0ccb186520e43a867c384/1359543705/9ojy9x.app  Java/1.6.0_20
  • hxxp://kh.jimmywalkermusic.com /WtfWQjU.jar Java/1.6.0_37
  • hxxp://www1.v4xm7g02agdn0.undo.it/mkbrifd.jar Java/1.6.0_38
  • hxxp://uvyesn.dyndns-at-home.com/funds/1z9a02laoa15yy1591g5.jar Java/1.7.0_06

Blackhole_2.0.1_succesful_exploitation_distribution

Above shows part of a web interface for a botnet that has over 17500 successfully exploited systems using this blackhole exploit kit, we can see that over 78% of the systems was compromised by a Java exploit. This percentage is common and similar in other exploit kits, showing that Java continues to be the most commonly attacked application.

It would seem that users, don’t update software regularly and this is why the recent move by Oracle is important. Hopefully, this will stop the bad guys (continuously) taking advantage of that fact.

In the wild, we have seen the all types of old Java virtual machines getting compromised, anyone with these versions are obviously vulnerable. It is highly recommended that you either disable/uninstall Java or if you must use it make sure it is always up to date. Oracle’s increased focus on security stems from the need for better security in the software we use everyday, if this doesn’t happen maybe users and organisations will simply not accept it because it is too risky to have installed anymore.

Barry Weymes et al, Security Analyst at the Fox-IT Security Operations Center.