Dissecting The Urchin Script Injection Attack
Imperva’s Tomer Biton examines a new mass script injection attack targets ASP ASP.NET websites. As usual, this is a major technical dissection.
The Injected Script (click image to BIGGIFY):
Now, let’s deobfuscate the script:
The script targets visitors of 6 particular languages:
- en = English,
- de = German (Standard).
- Fr = French
- It = Italian
- Pl = Polish
- Br = Breton (yes, for real).
We can see the ‘go_to’ statement that redirects the visitor’s browsers to www3.strongdefenseiz.in domain:
strongdefenseiz.in returns 302 redirection response with one of the following domains:
How do you like your malware?
We were able to identify 3 different scripts from above domains. The scripts are downloaded as a gzip encoded. However, with the Malzilla tool we can see get them in a better view (click image to BIGGIFY):
Once the scripts get executed in the visitor’s browser one of the following pages loads (click images to BIGGIFY):
Script # 1: Top 10 Famous Celebrity Sex Scandals
Script #2: Emma Watson never seen before home video
Script #3: Scarware/Fake Anti-Virus
What About The Malware?
The malware’s main characteristics include:
- FileSize: 292.00 KB (299013 bytes)
- MD5: 8DACD674BF9F7A08BFF667721E53B106
- SHA1: 38954871CE0D2249BCFA500F24A00A5FAF93BFA0
The binary presents a layer of UPX compression. The Section Header is composed as usual by the following sections:
This sample designed to redirect web search results of Bing.com and Google.com. It uses rootkit techniques to hide its presence from the victim and security products. This is not the first time we see this kind of behavior, malware from the TDSS (TDL3 and TDL4) and ZeroAccess/Serifef families were involved in nearly all cases of those annoying redirects.
I’m guessing, the sample is routing the traffic eventually to Google after monitoring it or logging it for whatever reason.
Once executed the sample creates a service by loading a kernel mode driver – 5640.sys:
SYSTEM process (PID 4) gets infected by a malicious thread injection (click to BIGGIFY):
The local pharming technique? The sample modifies locks and set as hidden the system file /etc/hosts (click to BIGGIFY):
After entering ~ 60 CRLF lines also adds the following entries (must pageDn in order to see the entries):
The sample also copies itself to a tmp folder with a .tmp extension:
As described above, the sample is designed to redirect user searches from ‘Google’ and ‘Bing’. After infection pinging Google.com and bing.com returned the same IP (click to BIGGIFY):
Before Infection After Infection
Whereas Facebook.com is not a target: