Dissecting The Urchin Script Injection Attack

major-technical-dissection

Imperva’s Tomer Biton examines a new mass script injection attack targets ASP ASP.NET websites.  As usual, this is a major technical dissection.

First, by searching the javascripts payload names in Google we can see the mass of the infected pages (click image to BIGGIFY):

biggify

The injection includes iframes to one of the following javascripts payloads to two sites (URLs not listed).

The Injected Script (click image to BIGGIFY):

the-injected-script

Now, let’s deobfuscate the script:

deobfuscate-the-script

The script targets visitors of 6 particular languages:

  • en = English,
  • de = German (Standard).
  • Fr = French
  • It = Italian
  • Pl = Polish
  • Br = Breton (yes, for real).

The redirector:

We can see the ‘go_to’ statement that redirects the visitor’s browsers to www3.strongdefenseiz.in domain:

the-redirector

By robtex.com:

strongdefenseiz.in returns 302 redirection response with one of the following domains:

  • hXXp://www2.strong-dvmaster.rr.nu
  • hXXp://www2.simple-guardo.rr.nu

How do you like your malware?

We were able to identify 3 different scripts from above domains. The scripts are downloaded as a gzip encoded.  However, with the Malzilla tool we can see get them in a better view (click image to BIGGIFY):

scripts-are-downloaded
Once the scripts get executed in the visitor’s browser one of the following pages loads (click images to BIGGIFY):

Script # 1: Top 10 Famous Celebrity Sex Scandals

script-1

Script #2: Emma Watson never seen before home video

script-2

Script #3: Scarware/Fake Anti-Virus

script-3

What About The Malware?

The malware’s main characteristics include:

  • FileSize: 292.00 KB (299013 bytes)
  • MD5: 8DACD674BF9F7A08BFF667721E53B106
  • SHA1: 38954871CE0D2249BCFA500F24A00A5FAF93BFA0

The binary presents a layer of UPX compression.  The Section Header is composed as usual by the following sections:

  •  .UPX0
  • .UPX1
  • .rsrc.

This sample designed to redirect web search results of Bing.com and Google.com.  It uses rootkit techniques to hide its presence from the victim and security products. This is not the first time we see this kind of behavior, malware from the TDSS (TDL3 and TDL4) and ZeroAccess/Serifef families were involved in nearly all cases of those annoying redirects.

I’m guessing, the sample is routing the traffic eventually to Google after monitoring it or logging it for whatever reason.

Once executed the sample creates a service by loading a kernel mode driver – 5640.sys:

loading-a-kernel-mode-driver

loading-a-kernel-mode-driver-02

SYSTEM process (PID 4) gets infected by a malicious thread injection (click to BIGGIFY):

malicious-thread-injection

The local pharming technique?  The sample modifies locks and set as hidden the system file /etc/hosts (click to BIGGIFY):

hidden-the-system-file

After entering ~ 60 CRLF lines also adds the following entries (must pageDn in order to see the entries):

order-to-see-the-entries

The sample also copies itself to a tmp folder with a .tmp extension:

tmp-folder

As described above, the sample is designed to redirect user searches from ‘Google’ and ‘Bing’.  After infection pinging Google.com and bing.com returned the same IP (click to BIGGIFY):

Before Infection                 After Infection

redirect-user-searches

Whereas Facebook.com is not a target:

not-a-target

Be safe.