The Latest in IT Security

entrepreneur.com compromised with CrimePack

25
Jan
2012

Today, WebsenseR ThreatSeekerR Network alerted us that entrepreneur.com has been compromised by cyber criminals, resulting in potentially malicious content being downloaded to a user’s machine. Entrepreneur.com is a very popular information and community resource for small businesses on the web (see Alexa rank).

Websense customers are protected from these threats by ACET, our Advanced Classification Engine.

Update: We have contacted entrepreneur.com to notify that their site was compromised and by the time this blog was published the issue had been fixed.

Analysis:

The attacker used the CrimePack exploit kit, which employs several different exploits to try to infect a user’s computer. We’ll explain how this works in detail. Let’s start by visiting the home page of entrepreneur.com where we notice an iframe injected into the page:

Picture 1: Hidden iframe injected into the home page of entrepreneur.com

We know this is an invisible iframe since its height is zero. This is suspicious enough to make us analyze the content of the target URL. Our analysis reveals that it contains a highly obfuscated JavaScript code (Picture 2).

We need to de-obfuscate it to see if this is malicious or not. On the first layer of de-obfuscation, we immediately notice that something is not quite right. The code tries to access the Java engine in various ways and loads a module named “cpack,” which we surmise could be the CrimePack-generated code (Picture 3).

To confirm our suspicions, we need to de-obfuscate the second level, too, to get a clear overview of what redirections have been utilized during visits to this page. After de-obfuscating the second level, we see that the code creates another iframe that loads the “bof.php” file from the malicious server (Picture 4).

From its source code (Picture 5), we ascertain that this “bof.php” file is part of the CrimePack exploitation module.

If we take a second look at the index.php, we notice that it loads another JavaScript code called “detect.js” (Picture 6). This is a module that helps determine which plugins are installed in the browser. The exploit kit then uses this information to create a vulnerability matrix that describes what type of exploit can be successfully used in a user’s particular environment (Picture 7). 

Picture Gallery: 

Picture 2: Highly obfuscated JavaScript code on the malicious site

Picture 3: Various modules are loaded from the first layer of de-obfuscated code

 

Picture 4: Java classes and iframes injected from the second layer of obfuscated code

Picture 5: CrimePack delivers Java exploit code to a user’s browser

Picture 6: A malware helper module uses a legitimate “Dean Edwards” obfuscation method

Picture 7: The helper module checks what plugins are installed on the browser enabling CrimePack to  build a vulnerability matrix

Leave a reply


Categories

SUNDAY, FEBRUARY 05, 2023
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments