Run, Forest! (Update)

Run, Forest! (Update)
Thanks to ISC readers Yin, Doug, Lorenzo, Ron, Jan and Placebo for contributing their data to the ongoing analysis of "Run, Forest!" (JS.Runfore) after our earlier SANS ISC diary last week. Here's what we have so far: Run, Forest is pretty fickle. They seem to be running an underground web server called "Sutra TDS", and are doing a quite decent job at using this web server's "features" to make analysis hard. Redirection usually happens via two stages of URLs, and only takes place if the correct cookies were set by the prior stage, and the correct referer is provided. It also looks like their web server does geo-location and responds accordingly, and it also black-lists too nosy analysts. If the defenses trigger, the web server responds with "This domain has been suspended for policy violations" or some wording along those lines ... and admittedly, this actually fooled us the first time (aka "Yeeha, someone else already got them"). Turns out that no .. it is just one more clever smoke grenade in the bad guys' arsenal. If you DO get the exploits, it looks like it currently delivers a regular Blackhole Exploit Kit. The most recent exploit that we've seen included in the package so far was for CVE2012-0507, the Java AtomicReferenceArray vulnerability that affects Java 1.6_30 and Java 1.7_2 and earlier. Bad enough, because there are still lots of unpatched Java installations out there. The other exploits in the pack seem to be for older CVE2010-xxxx vulnerabilities, particularly in Adobe Reader. But don't count on it, the way Blackhole is built, it is quite trivial for the attackers to swap out one exploit against another. That they are not using the latest sploits yet .. simply means that the oldies are still netting the bad guys enough new bots. If the exploits that we saw were successful, the end result was usually a variant of ZBot, with low detection on Virustotal. If the machine is well patched and none of the exploits in the pack are feasible, it looks like the kit does some sort of geo location, and then presents a reasonably language and design adjusted variant of Fake AV, in the hope that the user will fall for it and click. We so far had reports of this behavior from Switzerland and Germany only - if you have a full trace of such an incident from its starting "runforestrun" URL all the way through to the Fake AV, we'd appreciate a copy. If you want to play on your own (be careful!), here's a couple recent Wepawet analysis results http://wepawet.iseclab.org/view.php?hash=5e5fbd51d1df4b946917c3710e8058ed&t=1340629274&type=js http://wepawet.iseclab.org/view.php?hash=40cc3ddf4bc35ff55880e4740807794e&t=1340630664&type=js http://wepawet.iseclab.org/view.php?hash=74cd3f5986b652b6a41dc454380ebf9b&t=1340659298&type=js How do web servers get infected with Run Forest's initial attack vector? Good question. All we have so far is that existing JavaScript (.js) files apparently were amended with the obfuscated Blackhole redirect code. Symantec's early analysis suggests that Run Forest comes with a file infector that looks for and changes .JS files. The sites from where we received infected files didn't have much in common, and also didn't have (sigh!) any useful logs that would have allowed tracking back to the source of infection. If you have additional details, please share! How to defend Don't count on anti-virus. While Symantec was quick to detect and name JS.Runfore one week ago, they are now missing the latest versions, pretty much like every other AV Vendor out there. Here's AV detection for the Blackhole Redirect Script on Virustotal: 4/41 Here's AV detection for the PDF Exploit on Virustotal: 11/42 Here's AV detection for the final EXE (ZBot): 5/42 In a company or university setting, if you can get away with it, block all traffic to 95.211.27.206, which is the IP that has been used by this scam for their 16-byte initial ".ru" URLs for the past week now. Obviously, the IP is trivially easy to change for the attackers, but you might get at least some temporary reprieve to allow the AV companies to get their act together, and catch up. Your best defense, as usual, is to keep all your software fully up to date, and to make sure all your computer users are educated not to click on scams .. especially not on scams that pop up unexpectedly after visiting a completely unrelated web page. Let me rephrase that: Your best defense is to go off grid completely, and start growing your own potatoes and cabbage in some remote rural corner of Wisconsin or Idaho. But things are not quite that dire yet :).	Daniel 367 Posts ISC Handler Jun 26th 2012
Subscribe	Jun 26th 2012 8 years ago
Sigh... PLESK...	Yinette 12 Posts
Quote	Jun 26th 2012 8 years ago
Looks like Forest relocated. The 16-char URL's now resolve to 141.136.17.97	Daniel 367 Posts ISC Handler
Quote	Jun 27th 2012 8 years ago
Yep, new ip is 141.136.17.97. (btw the amount of (distinct) compromised websites is scary)	Daniel 3 Posts
Quote	Jul 2nd 2012 8 years ago
resolving to new ip: 188.211.239.249.	Daniel 3 Posts
Quote	Jul 3rd 2012 8 years ago

Thanks to ISC readers Yin, Doug, Lorenzo, Ron, Jan and Placebo for contributing their data to the ongoing analysis of "Run, Forest!" (JS.Runfore) after our earlier SANS ISC diary last week.

Here's what we have so far:

Run, Forest is pretty fickle. They seem to be running an underground web server called "Sutra TDS", and are doing a quite decent job at using this web server's "features" to make analysis hard. Redirection usually happens via two stages of URLs, and only takes place if the correct cookies were set by the prior stage, and the correct referer is provided. It also looks like their web server does geo-location and responds accordingly, and it also black-lists too nosy analysts. If the defenses trigger, the web server responds with "This domain has been suspended for policy violations" or some wording along those lines ... and admittedly, this actually fooled us the first time (aka "Yeeha, someone else already got them"). Turns out that no .. it is just one more clever smoke grenade in the bad guys' arsenal.
If you DO get the exploits, it looks like it currently delivers a regular Blackhole Exploit Kit. The most recent exploit that we've seen included in the package so far was for CVE2012-0507, the Java AtomicReferenceArray vulnerability that affects Java 1.6_30 and Java 1.7_2 and earlier. Bad enough, because there are still lots of unpatched Java installations out there. The other exploits in the pack seem to be for older CVE2010-xxxx vulnerabilities, particularly in Adobe Reader. But don't count on it, the way Blackhole is built, it is quite trivial for the attackers to swap out one exploit against another. That they are not using the latest sploits yet .. simply means that the oldies are still netting the bad guys enough new bots.
If the exploits that we saw were successful, the end result was usually a variant of ZBot, with low detection on Virustotal.
If the machine is well patched and none of the exploits in the pack are feasible, it looks like the kit does some sort of geo location, and then presents a reasonably language and design adjusted variant of Fake AV, in the hope that the user will fall for it and click. We so far had reports of this behavior from Switzerland and Germany only - if you have a full trace of such an incident from its starting "runforestrun" URL all the way through to the Fake AV, we'd appreciate a copy.
If you want to play on your own (be careful!), here's a couple recent Wepawet analysis results
http://wepawet.iseclab.org/view.php?hash=5e5fbd51d1df4b946917c3710e8058ed&t=1340629274&type=js
http://wepawet.iseclab.org/view.php?hash=40cc3ddf4bc35ff55880e4740807794e&t=1340630664&type=js
http://wepawet.iseclab.org/view.php?hash=74cd3f5986b652b6a41dc454380ebf9b&t=1340659298&type=js

How do web servers get infected with Run Forest's initial attack vector?

Good question. All we have so far is that existing JavaScript (.js) files apparently were amended with the obfuscated Blackhole redirect code. Symantec's early analysis suggests that Run Forest comes with a file infector that looks for and changes .JS files. The sites from where we received infected files didn't have much in common, and also didn't have (sigh!) any useful logs that would have allowed tracking back to the source of infection. If you have additional details, please share!

How to defend

Don't count on anti-virus. While Symantec was quick to detect and name JS.Runfore one week ago, they are now missing the latest versions, pretty much like every other AV Vendor out there.

Here's AV detection for the Blackhole Redirect Script on Virustotal: 4/41
Here's AV detection for the PDF Exploit on Virustotal: 11/42
Here's AV detection for the final EXE (ZBot): 5/42

In a company or university setting, if you can get away with it, block all traffic to 95.211.27.206, which is the IP that has been used by this scam for their 16-byte initial ".ru" URLs for the past week now. Obviously, the IP is trivially easy to change for the attackers, but you might get at least some temporary reprieve to allow the AV companies to get their act together, and catch up.

Your best defense, as usual, is to keep all your software fully up to date, and to make sure all your computer users are educated not to click on scams .. especially not on scams that pop up unexpectedly after visiting a completely unrelated web page.

Let me rephrase that: Your best defense is to go off grid completely, and start growing your own potatoes and cabbage in some remote rural corner of Wisconsin or Idaho. But things are not quite that dire yet :).

Daniel