Wednesday, March 3, 2010

Anatomy of the Bablodos drive-by-download attack

Hackers have come to rely less on distributing malware via email
attachments, and have opted for infecting legitimate websites with
drive-by-downloads as the de facto way of more aggresssive
distribution. Just by loading an infected web page in a browser, a
virus can be downloaded to a computer without knowledge of the user.
The implications are often disastrous and range from reputation/brand
and revenue loss to data theft.

One particular attack stood out due to the number of exploits it
used and the number of processes it started -- it was quite "blatant".
While hackers often take steps to evade detection, Bablodos didn't
seem to bother. Based on Dasient's last malware report for 2009
the average number of extra processes initiated by hackers in Q4 '09
was just 2.8 -- enough for a downloader and perhaps one or
two pieces of malware. (As a comparison, in previous years,
a drive-by download would often initiate 10 or more
extra processes, ostensibly in an attempt to maximize the return from
each infected endpoint.) This shows us that attackers are getting
smarter about the way they structure their attacks, opting for a
smaller fingerprint on an infected machine in exchange for a greater
likelihood of evading detection.

Enter bablodos.com. This brazen attack took advantage of a large
number of different vulnerabilities on the user's computer, modified
personal firewall settings and then deleted itself off the disk after 5
seconds of starting as many as 8 processes. Obviously it wasn't trying to hide
anything and the goal was to cause as much damage as possible in a short amount of time.
Clearly, some of today's hackers aren't afraid of being detected.

So how exactly does this attack work?

STEP 1

Bablodos .com infects vulnerable sites by injecting obfuscated javascript code on their web pages.

Here is the first few bytes of the malicious JS snippet: "document.write(String.fromCharCode(60,116,97,98,108,101,32,98,111,114,100..."

This JS code sources in

bablodos .com/x/jar.jar
bablodos .com/counter/swf.swf
bablodos .com/counter/exe.php
bablodos .com/counter/pdf.php

to look for vulnerabilities in Flash and Pdf plugins and Java Runtime Environment.

STEP 2

Users visiting these victim sites get infected in the following way:

* An executable named file.exe is downloaded into the \Documents and Settings\%USER% folder, and run without the user's consent. It is classified as a downloader by many antivirus engines according to this Virustotal analysis.

* This executable bypasses the Windows Firewall by modifying the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List

* Then it downloads additional malware and starts new processes as many as 8 into the temp folder that have file names comprised of 10 random character such as
SUHyAwDJUT.exe, AJvvOxjPBD.exe, YylDMSreSn.exe etc.

* To avoid detection, the downloaded malware is deleted from disk after starting execution with the command:
C:\WINDOWS\system32\cmd.exe /c timeout 5 && del %TEMP%\[10chars].exe

Since January of this year at least 50 sites have been hit by bablodos.com, some of which are:

123-real-estate-riverside .com
3rbytv .com
addisdimts .com
allmyanmar .com
ar-movies .blogspot.com
bellsnwhistles .com
cfusion .com
deskbeauty .com
dogtraininghealthcare .com
eetcorp .com
el34world .com
ericbae .com
faithfulnews .com
funinternet .net
games420 .com
ganoi .us
gdp .com
goldcoastsewing .com
goldmedaldeals .com
gospeladvocate .com
hamiltonknife .com
healthyhuman .net
hipforums .com
homeofourfathers .com
icarly-show .com
jerryswallpaper .com
jpickup .com
lyainc .com
maxeys .com
medicalartsschool .com
mideastreview .com
midorimiller .com
milwaukeenights .com
mjguide .com
mobilefull .com
npocu .org
patriotsbankmo .com
phuket-to-krabi .com
plentyofpuppies .com
pocketkittys .com
powertoolbattery .co.uk
scvan .org
shovelhead .us
tattoovirtual .com
thailandmagic .com
thailandsouthern .com
themes420 .com
travelbookingonline .com
tvgrounds .com
usa-battery .com
wallpapers2k .com

Had these sites been monitored by Dasient WAM they would have been alerted in real-time that the malware was on their site and they would have been able to contain the infection and prevent it from spreading.

23 comments:

  1. I really appreciate posts, which might be of very useful
    my Blogs: cityville cheats | how to get taller

    ReplyDelete
  2. Great post. i think i have read such an article after a long time on internet.
    sciatic nerve pain
    easy guitar songs
    easy guitar tabs
    lower ab workout

    ReplyDelete
  3. http://www.manualdirectorysubmission.co
    This brazen attack took advantage of a large
    number of different vulnerabilities on the user's computer, modified
    personal firewall settings and then deleted itself off the disk after 5 seconds of starting as many as 8 processes.

    ReplyDelete
  4. You have some really good ideas in this article. I am glad I read this. I agree with much of what you state in this article. Your information is thought-provoking, interesting and well-written. Thank you.

    MBA Dissertation to Buy

    ReplyDelete
  5. woow ! Very interesting post I like your website keep up the great posts
    Chemistry Essays Help

    ReplyDelete
  6. I was very encouraged to find this site.I definitely savored every little bit of it and I have you bookmarked to check out new stuff you post. 338a sbobet casino, bola tangkas 2, situs ion casino

    ReplyDelete
  7. His work from house company assisted fund these visits. He was not enthusiastic about gathering individual wealth; he didn’t reside in hardship, but he didn’t reside in high-class either. go here

    ReplyDelete
  8. Often it is the awesome deficiency of way of lifestyle of someone near that provides this home; and then the regularity of medical center trips and memorials gradually begins to choose up amount, like a drumbeat in the forests. criminal defense attorney

    ReplyDelete
  9. Often it is the awesome deficiency of way of lifestyle of someone near that provides this home; and then the. rumah dijual

    ReplyDelete
  10. the regularity of medical center trips and memorials gradually begins to choose up amount, like a drumbeat jual rumah

    ReplyDelete
  11. graha gading serpong Here I’ve combined one strand of the Pixie with one strand of the Cream and used the original H hook size. It makes a heart that is slightly larger than the original pattern

    ReplyDelete
  12. Thanks for ones marvelous posting! I genuinely enjoyed reading it,you are a great author. I will be sure to bookmark your blog and may come back very soon.realestateinindia |

    family-estate |

    estateguru |

    real-estate-tucson |

    elkinsestateretreat |

    oaklandreal-estate |

    piedmontreal-estate |

    browardrealestate |

    koratrealestate |

    prescott-real-estate |

    ReplyDelete
  13. The Buddhist way to all of this is quite genuine, really. Buddhism understands of that from the perspective of ego the opportunities of lack of way of life is generally difficult. Klik4D

    ReplyDelete
  14. As almost everyone’s costs experienced, many companies had to cut back on their display contribution and the variety of individuals they sent to be present at activities was significantly reduced. her explanation

    ReplyDelete
  15. One neat thing about being the first company to purchase the trucks is that Robichaud is pretty much involved in any design changes that may be made to the vehicle. overview

    ReplyDelete
  16. As we age this careful system changes. Moreover to monitoring moment-to-moment threats such as an beginning car or a decrease banister, our threat verifying starts to intuit a distant but progressively approaching dark thinking — the approaching end, the biggest boundary. www.swissphysio.co.uk

    ReplyDelete
  17. Many producers need to be more ideal and creative about how they can use their display contribution as a useful promotion. TUBE

    ReplyDelete
  18. I'll upgrade in a year or two" I'm so glad I didn't do that, I'm still just beginning but I can see how valuable having more stitch options is going to be and I've already started using some of them. top 10 quotes

    ReplyDelete
  19. As we age this careful system changes. Moreover to monitoring moment-to-moment threats such as an beginning car or a decrease banister. stumbleupon

    ReplyDelete
  20. During the encounter, not one, but two support specialists came out to the apartment to get us out of the blunder we were in. venus factor reviews

    ReplyDelete
  21. I happen to think that organization exhibitions still hold value, whether you are there to program, see market buddies, rim and deal or to walk the shelves to explore a certain item or technological innovation. click to read

    ReplyDelete
  22. I'm liking the room setup of that hotel. The simple elegance reminds me so much of the hotels in paddington I've stayed in during my business trips. next story

    ReplyDelete
  23. Spend some time while with a dynamic language and you start to wonder what the benefit of the static type system really is, other then reducing the most gross of mistakes in a project with developers who don't communicate or pay attention. use this link

    ReplyDelete