Another Clever Drive-By

This is yet another drive-by that was challenging to find. It delivered payloads from two different exploit packs making it very cruel too. Below is the infected webpage. I kept visiting this page, scrolling up and down, and nothing happened but I knew something was here based on an alert from another user’s visit. I figured it must be a malicious ad that gets rotated so I moved on to something else.

2013-02-23_01

An couple hours later, I figure I would try again and get lucky. Still nothing! But this time I thought I would check out the ads. As I scrolled down, about half way down the page an ad slid out from the bottom right. My PC then got infected.

2013-02-23_02

The source code of the ad box shows a redirect script.

2013-02-23_03

This script shifts the block of random text by one ASCII character then renders it with a document.write. I can use Converter to show me what this obfuscated text looks like:

2013-02-23_04

This is the landing page of Fiesta EK (aka Stamp EK, SofosFO). Hat tip to Fox-IT.

2013-02-23_05

I thought I was all done here but I looked through the rest of the HTML source and this Javascript section looked really suspicious.

2013-02-23_06

Since I burned through so much time on this already, I just pasted that section in Revelo and clicked on “Execute” to safely see what it would do.

2013-02-23_07

I curl’d the link and got this file. Nothing. Looks like I have to spoof the referer.

2013-02-23_08

Tried again and got this. This file appears to contain a Javascript variable.

2013-02-23_09

I pasted this into Revelo up at the top above the previous script and hit “Execute”:

2013-02-23_10

So what does this script do? It converts the variable from the second site into a URL then appends it to the body. You can whip up a simple script with the following to see how the URL gets made:

2013-02-23_11

It gets rid of any character from G to Z (upper and lower case) and converts all of the special characters to “%” then unescapes what’s left. This, as you know, is the landing page of Blackhole.

2013-02-23_12

The website was notified and time was given to clean it up before this post but the site still appears to be affected. It seems webmasters are having some difficulty finding and removing these types of infections lately.

UPDATE
I was asked to comment why this drive-by isn’t picked up by online website scanners.

2013-02-23_13

2013-02-23_14

Majority of the time, these scanners work great and can detect suspicious content easily and accurately. In this case, however, the infected content is located in an iframe that only appears when the user scrolls down the page past the end of the article. This is atypical and the attacker probably took advantage of how the ad was normally presented on this website.

This entry was posted in Exploit Packs, Malscript and tagged , , , . Bookmark the permalink.