Today, WebsenseR ThreatSeekerR Network alerted us that entrepreneur.com has been compromised by cyber criminals, resulting in potentially malicious content being downloaded to a user’s machine. Entrepreneur.com is a very popular information and community resource for small businesses on the web (see Alexa rank).
Websense customers are protected from these threats by ACET, our Advanced Classification Engine.
Update: We have contacted entrepreneur.com to notify that their site was compromised and by the time this blog was published the issue had been fixed.
Analysis:
The attacker used the CrimePack exploit kit, which employs several different exploits to try to infect a user’s computer. We’ll explain how this works in detail. Let’s start by visiting the home page of entrepreneur.com where we notice an iframe injected into the page:
Picture 1: Hidden iframe injected into the home page of entrepreneur.com
We know this is an invisible iframe since its height is zero. This is suspicious enough to make us analyze the content of the target URL. Our analysis reveals that it contains a highly obfuscated JavaScript code (Picture 2).
We need to de-obfuscate it to see if this is malicious or not. On the first layer of de-obfuscation, we immediately notice that something is not quite right. The code tries to access the Java engine in various ways and loads a module named “cpack,” which we surmise could be the CrimePack-generated code (Picture 3).
To confirm our suspicions, we need to de-obfuscate the second level, too, to get a clear overview of what redirections have been utilized during visits to this page. After de-obfuscating the second level, we see that the code creates another iframe that loads the “bof.php” file from the malicious server (Picture 4).
From its source code (Picture 5), we ascertain that this “bof.php” file is part of the CrimePack exploitation module.
If we take a second look at the index.php, we notice that it loads another JavaScript code called “detect.js” (Picture 6). This is a module that helps determine which plugins are installed in the browser. The exploit kit then uses this information to create a vulnerability matrix that describes what type of exploit can be successfully used in a user’s particular environment (Picture 7).
Picture Gallery:
Picture 2: Highly obfuscated JavaScript code on the malicious site
Picture 3: Various modules are loaded from the first layer of de-obfuscated code
Picture 4: Java classes and iframes injected from the second layer of obfuscated code
Picture 5: CrimePack delivers Java exploit code to a user’s browser
Picture 6: A malware helper module uses a legitimate “Dean Edwards” obfuscation method
Picture 7: The helper module checks what plugins are installed on the browser enabling CrimePack to build a vulnerability matrix
Leave a reply
