Wow. Lots of big news lately. Where do we start?
How about with Paunch. He is (or was) the main guy behind the Blackhole & Cool exploit kits. And he was arrested a couple of weeks ago, and people have been wondering what would happen.
Well, for one thing, the author of the Neutrino kit raised his price to match what Cool had been charging. (This fun tidbit is about half-way down in this post from researcher Kafeine, which has a lot of good data about what various groups which had been using Blackhole are doing to adapt.)
While some criminals continued to use the final version of Blackhole (with rapidly diminishing returns), the majority had to find themselves a new exkit provider. Our research shows that a lot of them have migrated to a kit known as Magnitude, backing up what Kafeine and others have said.
Here is Jeff’s take, from an e-mail last week:
When we talk about BHEK there were several different variants, all run by different people with different agendas. One variant was distributing almost exclusively Zeus-Gameover. This group as well as other groups have been in a state of panic as to where to move their business with the loss of Blackhole and Cool. It looks like the Zeus-Gameover group has jumped on the Magnitude bandwagon.
We have three large malnets that I entered a month or so ago in the Tracker as Blackhole exploit kit Servers. They are now hosting Magnitude exploit kit, and from some quick analysis today, they are distributing the Zeus-Gameover payload.
BTW, from those three big networks, plus a smaller one, we blocked almost 65,000 requests in WebPulse in the past 30 days [to clarify, those were from our “small logs” — showing just our dynamic catches; they don’t include the always-larger number of blocks via the database!], so Magnitude is definitely filling the “black hole” in the exploit kit market…
The first general write-up we saw on this was here. The fun part, as noted in the article, is that php.net was initially trying to convince Google to un-blacklist them because it had to be a false positive. However, Barracuda and others displayed smoking guns that told otherwise.
In the Barracuda post, they identify the evil site: zivvgmyrwy.3razbave.info, and note that the exploit was a .SWF file that then led to the malware (EXE) payload.
Fortunately for WebPulse users, 3razbave.info lives (well, lived — it’s gone now) on a server that we already knew about (126.96.36.199). In fact, we knew about it a day before Google did (we flagged the server on 10/22, about an hour after it came on-line: traffic began at 13:55 UTC — logically enough, the root domain then was 1razbave.info — and we were returning Malware ratings by 15:01)…
There were at least 143 different “subdomain.domain” combos in the “razbave” family of sites, and they were serving up Magnitude.
Digging a little further back in the traffic logs, we attempted to answer the question of “when did php.net get hacked?” Since it wasn’t sending traffic directly to the “razbave” gang, we had to find the missing links…
It turns out that there were three main sites funnelling the traffic: url.whichusb.co.uk, lnkhere.reviewhdtv.co.uk, and aexpp.stephaniemari.com. All three of them lived on a set of IP addresses in Moldova (in the 188.8.131.52/24 block), even though their parent domains are on different IPs, which we see a lot of these days…
It turns out that the Moldovan cluster acted as a relay for traffic from php.net to malicious sites on two previous occasions: on 10/08, when stats.whichkeyboard.co.uk was the relay in a single hit in our logs; and again on 10/17, when the relay was network.whichhomecinema.co.uk for seven hits. It’s tempting to speculate that these were test-runs of the attack, before the switch was officially flipped on 10/22. So php.net was compromised on or before October 8th.
Targeted Waterhole Attack?
Given the stealthy nature of the hack, and the fact that the traffic to php.net is primarily developers and other technical folks, we’ve had some internal debate on whether or not this was meant as a stealthy waterhole attack specifically targeting those visitors — for example to try to steal web site and database passwords.
While it’s impossible to rule that out completely, there is other evidence suggesting this isn’t the case.
For one thing, there is the nature of the attack network: the sites hosting Magnitude EK are a big, noisy operation, very indicative of a mass-market attack. Another (related) point is that there was indeed other network traffic mixed in with the php.net visitors: chiefly a bunch of small Canadian sites (my favorites being famouscanadianwomen.com and ironchef.ca). These all seem to be in the IP block 184.108.40.206/24, which is indeed a Canadian host (Sibername.com), and it can’t be coincidence that so many small sites on the same servers were involved in the attack — that looks like a server compromise.
In any case, there’s no reason to mix this traffic into the attack if someone is trying to be stealthy.
Finally, this attack is a great illustration of the modern malware model, where the Bad Guys routinely use pay-per-install type attacks, and other “sharing” arrangements, so that a single infection can result in multiple malicious payloads being installed on your computer, from different gangs. (And since stealth goes out the window when an attack launches an in-your-face ransomware screen, that also argues against a sneak-attack scenario.)
Our colleague Andrew Brandt has been doing some analysis of the payloads used in the PHP.net attack, and will be posting his results today in the Solera blog. For now, here’s a teaser:
–C.L. & J.D.
Leave a reply