DNS takeover redirects thousands of websites to malware

Starting on Mon, 5 august 2013, 06:57:30 Fox-IT’s monitoring service detected a redirect occurring initially on conrad.nl but later on many other websites. The way the site was compromised means thousands of websites are redirecting, in total 3 web hosters seem to have been affected by the DNS server compromise:

  • Digitalus
  • VDX
  • Webstekker

All sites using the DNS servers from these companies will have been affected. The official response given by Digitalus was that someone modified the DRS from SIDN with external name servers. This means that any DNS requests made to them would end up at the malicious DNS servers. The only problem now is that the DNS zones have a TTL (Time to live) of 24 hours. This means that most ISP would have this incorrect data in their caches for at least this length of time. After being contacted they fixed the issue and most public name servers now respond with the correct data. How the intruders got access to the DRS remains unknown until Digitalus or SIDN disclose more information, they are is still investigating the issue (source).

Every website that was being requested responded with a blank “Under construction” page with an iframe on it. The iframe was a host running the Blackhole Exploit Kit. While initially we assumed conrad.nl was compromised we found out that the DNS servers were giving back responses with the same IP every time: 178.33.22.5

The nameserver responses for conrad.nl as an example:

;; ANSWER SECTION:
conrad.nl.        300        IN        NS ns1.dn-s.nl.
conrad.nl.        300        IN        NS ns2.dn-s.nl.
;; ADDITIONAL SECTION:
ns1.dn-s.nl.        7200        IN        A 85.158.251.251
ns2.dn-s.nl.        7200        IN        A 83.96.142.70

Analysis of the attack

When vising the page on IP 178.33.22.5 the following response was given:

Malicious iframe

The host cona.com at the time was responding with 199.233.237.211. This hosted the exploit kit named Blackhole. The kit targetted the client with a PDF exploit (3/45 on VT) and a Java exploit (3/46 on VT).
Looking at URL data it looks as follows:

"GET http://www.conrad.nl/ HTTP/1.1" - - "-" "Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0"
"GET http://cona.com/removal/stops-followed-forces.php HTTP/1.1" - - "http://www.conrad.nl/" "Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0"
"GET http://cona.com/removal/stops-followed-forces.php?xsbmHaOUDWN=RcezQhYNSbrYT&BOZRScKNhz=QoMIfWkfOPj HTTP/1.1" - - "-" "Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_32"
"GET http://cona.com/removal/stops-followed-forces.php?If=3030562f53&We=2i2j55302f2h322g2e52&i=2d&FE=V&ma=p HTTP/1.1" - - "-" "Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_32"
"GET http://www.champagnekopen.nl/wp-content/uploads/2013/07/tr2.jpg HTTP/1.1" - - "-" "Internet"

The first request is to conrad.nl which responded with the malicious IP. This is followed by a request to the Blackhole exploit kit landing page via the initial iframe. After the script on the landing page is executed it does a request to (in this example) retrieve a JAR file to exploit the vulnerable java version. When the Java has been exploit it does a final request to the exploit kit retrieving the initial payload. Moments after downloading this the initial payload downloads a secondary payload which contains the Tor powered malware, note the sudden change of useragent to “Internet”.

The malware dropped communicates using the Tor network to various command and control servers, hashes for the files seen being dropped by the exploit kit:
d758fd8cfb80a458a43770037ec82aac
1af107152eda9cc870c639a5b1c3c466

The initial binary dropped from the exploit kit contacts the following two domains to download a 2nd stage payload:

http://champagnekopen.nl/wp-content/uploads/2013/07/tr2.jpg
http://panningendeavor.net/tr2.jpg

Cleanup

The old instructions previously stated in this post might not work for updated versions of the malware, we are advising  HitmanPro.Kickstart to clean up your PC.

Lennart Haagsma & Yonathan Klijnsma, Security Specialists at Fox-IT

Analysis of malicious advertisements on telegraaf.nl

Starting on Wed, 31 July 2013, 18:54:50 Fox-IT’s monitoring system detected a redirect occurring on telegraaf.nl. It was another case of advertisement provider abuse.
One of the advertisement providers loaded ads from an outside resource which returned an exploit kit named “FlimKit” exploit kit.
After first being removed from telegraaf.nl a second exploit kit redirect dropping a similar payload with a different hash, a list of the dropped samples:

Payloads:

Java exploits seen used:

MD5 hashes of all samples seen:

  • a5df4884c44a4c812a4cc7a1c133238e
  • 0e12760912ffeb6febe1bb790169eb35
  • a516e257177d6aa3d7edf3ff80c88304
  • dda3b490cd01690e12b280e5bb935bce

The HTTP-requests looked as follows for a client:

  • “GET hxxp://www.telegraaf.nl/ HTTP/1.1” – –
  • “GET hxxp://s.ads1337.com/s4a2npr35gmiogggggw0w0g8cw HTTP/1.1” – – “hxxp://www.telegraaf.nl/”
  • “GET hxxp://youradserv.com/adserver/cpvload2.php HTTP/1.1” – – “hxxp://s.ads1337.com/s4a2npr35gmiogggggw0w0g8cw”
  • “GET hxxp://sopixocyz.nl/0ha4hiozw1dzxegaehdg HTTP/1.1” – – “hxxp://youradserv.com/adserver/cpvload2.php”

The “sopixocyz” domain was the exploit kit. The domains use a form of DGA (domain generation algorithm) the following shows an analysis run done on a virtual machine:

  • “GET hxxp://youradserv.com/adserver/cpvload2.php HTTP/1.1”
  • “GET hxxp://ubaduroqi.nl/gk1mxwyeskomx9vohca HTTP/1.1” – – “hxxp://youradserv.com/adserver/cpvload2.php”
  • “GET hxxp://static.avast.com/web/i/form-close.png HTTP/1.1” – – “hxxp://ubaduroqi.nl/gk1mxwyeskomx9vohca
  • “GET hxxp://youradserv.com/favicon.ico HTTP/1.1”
  • “GET hxxp://ubaduroqi.nl/m2d1yiscwd HTTP/1.1”
  • “GET hxxp://ubaduroqi.nl/79dffb97cdemt7z7dtrwcysmb9.jar HTTP/1.1”
  • “GET hxxp://ubaduroqi.nl/m2d1yiscwd HTTP/1.1”
  • “GET hxxp://ubaduroqi.nl/m2d1yiscwd HTTP/1.1”
  • “GET hxxp://ubaduroqi.nl/fc43a11b2f0maovn8u9ieje7 HTTP/1.1”
  • “GET hxxp://obofonaxy.nl/X3SE7pFtYnh5Lm1tb2JvZm9DYXh5Lm4= HTTP/1.1”

Java was targeted for the attack using CVE-2012-1723 and CVE-2013-2423. The files dropped by this kit were (in our case, filenames are randomized):

  • rysxtbciqycmxeedc.dll
  • rysxtbciqycmxeedc.exe

After running the user is prompted with the following window which blocks any interaction to the rest of the desktop:

telegraaf.nl_winlocker_ano

The odd part is that the whole thing is hosted on NL based servers and the DGA domains are also NL this is quite rare.
The IP’s involved in the exploit kit and payload domain are:

  • 128.204.202.41
  • 46.182.106.96

A small sample of the DGA domains we encountered:

  • aqaxiboqe.nl
  • codudiref.nl
  • ducyqaxas.nl
  • fojavexuz.nl
  • obofonaxy.nl
  • obyfyfexe.nl
  • ubaduroqi.nl
  • sopixocyz.nl

Cleanup

Because the malware blocks all interaction with the desktop and modifies various registry keys it is quite hard to do a cleanup manually or automated.
There is however a solution to disable the malware from running so you can backup your files and do a reinstall.
This will only work if another account is available on the machine. Reboot the machine in safe mode and enter into a networked mode using the other user. Using your own user will make the machine reboot on logon, this is done by the malware.
When logged in you can locate the binaries in %temp%, this is where they were dropped from the exploit kit: %systempath%\temp\<random filename>.exe (%systempath% translates as the Windows folder on your main drive)
Remove/Move/Rename those files and reboot the machine. When rebooted, the machine will show the desktop without explorer running and only a command prompt showing an error. This is the malware not being able to start:

vm_cleanup

Run “explorer” in the command prompt in order to get the taskbar and file browser back. Start backing up files and reinstall the machine when done.
The malware makes various edits in the registry and cleaning up all of these is time consuming and not per se successful. This method does allow file backups.

Alternatively you can use HitmanPro.Kickstart to clean up your PC.

Yonathan Klijnsma, Security Specialist at Fox-IT