Malware Redirects to Exploit Kit Site

Wednesday, August 14, 2013 @ 04:08 PM gHale


The Counter.php strain of malware is now redirecting users to websites serving up the Styx exploit kit.

Vincente Diaz, a researcher with Kaspersky Lab, discovered counter.php while looking into some of the popular Web attacks in Spain during the past three months, according to a post on Securelist. One bit of code, Trojan.JS.iframe.aeq, jumped out.

RELATED STORIES
That’s Malware, Not Apple Gift Card
Malware Shifts to New Port Range
Spam Botnet Dodges Detection
Customized Mobile Number Harvesting

At the end of that source code was counter.php, a malicious redirect that uses an iFrame that initially began popping up in Japan and Spain in February and March.

Counter.php in turn led Diaz to find a site passing out the Styx exploit kit, a $3,000 toolkit that was popular earlier this spring.

Thanks to a new botnet named Fort Disco, researchers found a PHP-redirector earlier this month that also sent victims to sites hosting Styx, suggesting the malicious sites in both situations are one in the same.

Diaz said the exploit kit runs a script function called PluginDetect to profile the victim and determine which version of Java the user is running. It then exploits one of a handful of – mostly Java – vulnerabilities:
• “jorg.html” CVE-2013-0422
• “jlnp.html” CVE-2013-2423
• “pdfx.html loads “fnts.html” CVE-2011-3402
• “jovf.html” CVE-2013-1493
• and downloads a .pdf file CVE-2010-0188

Diaz said the sites passing out Styx may have suffered an infection, suggesting their FTP accounts may have ended up compromised. After contacting the sites’ corresponding hosting companies, Diaz was able to gather more information about counter.php.

Looking at the functions and strings, “when users are redirected to counter.php, then there is a second redirection to stat.php,” which is a filter that helps the kit avoid reinfections and avoid signature detection.

“As stat.php does not check that the parameter IP is the remote address, now we know how to create requests for getting samples from the exploit kit,” Diaz said.

In addition, the malware goes on to install a dropper that downloads a fake antivirus or ZeroAccess Trojan to the infected machine, according to the blog post.



Leave a Reply

You must be logged in to post a comment.