I thought I'd subtitle this diary more humorously as The Twelve Ways of Pwnmas in celebration of June-uary here in the Seattle area, where it really does rain all the time. I am priviliged to be party to a wide variety of data and telemetry for malfeasance and evil. One source in particular in use at Microsoft is a list of drive-by attack URLs discovered via detection technology utilized by MSRC Engineering. Please note: all URLS herein mentioned should be considered hostile and dangerous. Should you choose to explore, please do so at your own risk with the appropriate prophylactic measures. I will post domains here but not full exploit URLs; I'm glad to do so by request. I'm also glad to share samples as requested. Such a story is better told with pictures, in keeping with the depth of my analysis skills, but first some notes of interest:
The details on the domains of nefariousness are as follows:
Because infographics are all the rage:
These samples also presented a great opportunity to use an ISC Handler favorite. When you suspect code reuse or matching, Jesse Kornblum's ssdeep is an ideal tool with which to validate your assumption. As seen above, I stated that the malicious JS from six of the twelve URLs was identical. Comparing the sample (Exploit:JS/AdoStream) from Germany against the sample from Brazil proved to be a 97% match. The Exploit:JS/Mult.EA sample was also noted as a slight variant of Exploit:JS/AdoStream. Using the German sample to compare against the slight variant from Turkey showed a 94% match. I found it interesting that the very slight difference in JS resulted in four less detections by AV vendors. Here's the VT detection for www.meydanoptik.com sample (Exploit:JS/Mult.EA) versus the VT detection for www.stubllanet.com sample (Exploit:JS/AdoStream). The diff between the two files as seen below shows only that the www.meydanoptik.com sample sets a cookie while www.stubllanet.com does not. You get the idea. There are clearly commonalities in vulnerabilities targeted, methods used for exploitation, and even country of origin. Hopefully you've found this relevant and interesting. Please share any related insight or experience you may have via comments. Cheers.
|
Russ McRee 196 Posts ISC Handler Jun 21st 2012 |
|||||||||||||||||||||||||||||||||||||||
Thread locked Subscribe |
Jun 21st 2012 8 years ago |
|||||||||||||||||||||||||||||||||||||||
Any actionable takeaways short of don't click on any links, keep your systems patched, and update AV ?
|
Anonymous |
|||||||||||||||||||||||||||||||||||||||
Quote |
Jun 22nd 2012 8 years ago |
|||||||||||||||||||||||||||||||||||||||
@EVVJSK in this drive-by scenario browser counter-measures (e.g. Firefox's noscript) would be effective in limiting the impact. While the browser would execute code injected on trusted websites, these are typically redirects to actual exploit sites, where the noscript would then come into play. Not fool-proof, not a silver bullet, but raises the bar for the attacker.
|
Kevin Liston 292 Posts ISC Handler |
|||||||||||||||||||||||||||||||||||||||
Quote |
Jun 22nd 2012 8 years ago |
Sign Up for Free or Log In to start participating in the conversation!