In this post I want to highlight one of the script injections we have been tracking for the past month or so, which is being used to redirect web traffic to exploit sites (running the Blackhole exploit kit). Two factors make this particular script injection worthy of discussion, namely:
- large scale attacks. Many legitimate sites have been hit in these attacks.
- JavaScript generates a random string which is used within the target domain name.
We first this redirect script at the start of June. Sophos products block infected pages as Mal/Iframe-AF, and since early June, the prevalence of this threat has risen to the top of our web threat stats (accounting for 30-50% of all web threat detections).
The injected script is obfuscated as we expect nowadays, and will typically be seen appended to legitimate JavaScript libaries within sites. An excellent write-up here suggests that a vulnerability in Plesk (server admin software) was used to gain access to sites, and add the malicious code.
Deobfuscating the malicious JavaScript is trivial and lets us see the true payload, an iframe redirect. However, this attack is made slightly more interesting by the use of a simple date-based algorthim to generate a random string that is used in the target domain name.
The script generates a random string based on the current date, changing the string every 12 hours. It is a pretty simplistic approach.
This is not the first time we have seen this tactic in malicious JavaScript redirects – Sinowal did something similar back in 2009. Of course, once they have their hands on the code, it is easy for the good guys to generate all the possible domain names and get them blacklisted. Sinowal responded to this by including unpredictable data in its algorithm – using content pulled from a live Twitter feed.
No such elegance here I am afraid. The best we have seen are some later variants of the code which prepend a string for a “random” colour.
The iframe that the script adds to the page is intended to point the browser to a TDS server the attackers control. One of the strings used in some of the iframe URLs is responsible for the ‘Runforestrun’ nickname that has been attached to this attack. *
Latter variants of the script use different strings, and they have started to use dynamic DNS services for the referenced target sites (a favourite trick we have seen Blackhole use aggressively).
The traffic will be bounced (via a HTTP 302) from the TDS to the exploit site (normally via a second TDS). To date the exploit site has typically been running Blackhole, where the usual array of Java, Flash and PDF exploits are used in order to infect the user.
The final payload users are infected with varies – we have seen these payloads ranging from backdoor Trojans and Zbot to ransomware.
Aside from the Mal/Iframe-AF detection of the initial script redirect, Sophos products block the rest of the components involved in the driveby download chain as follows:
- blacklisting of the TDS servers
- blacklisting of the exploit sites
- detection of the landing page and PDF, Java and Flash components used by Blackhole
The final word on this should probably some advice for site admins whose sites have been hit by this attack. As noted in the excellent blog I linked above, it is believed that a Plesk vulnerability was used to gain access to sites. So admins should ensure they update Plesk, and change ALL associated passwords.
* This is a reference to the “Run Forrest, Run!” line from the film Forrest Gump (spelling has never been the focus of malware authors).
Leave a reply
