Redkit Malvertising Attack Via Zedo
[Great post from Jeff yesterday on our internal blog. --C.L.]
Meet the Face of Evil.
Would you believe that this:
is actually a cover for this?
The latter image is a screenshot of Redkit, a Russian-made exploit kit designed to distribute malware quickly and effectively, and available for a small fee. Exploit kits have become very popular in the last few years for that reason. The more unsuspecting visitors you can drive to a site with an exploit kit, the more people you will infect with your malware. (I’ve talked about exploit kits before: here and here.)
A popular method of driving people to a site hosting an exploit kit is through web advertisements, especially if the attacker can leverage a trusted ad service. The unfortunate truth is that web advertisers do not properly vet every ad they distribute. They typically accept ads from third parties who, in turn, take ads from other third parties. In their defense, it is a hard job to vet every ad that goes through their systems, but that doesn't mean they shouldn't be held accountable when malware gets through.
Yesterday, we saw such an attack come through zedo.com.
The attack begins with an advertisement that is loaded onto a legitimate site, via a URL like this:
c5.zedo [.] com/jsc/c5/ff2.html?n=2164;c=2;s=2;d=14;w=728;h=90
Visiting the host site with Mozilla Firefox showed a legitimate advertisement trying to get you to book a trip to Switzerland:
However, if you happened to be visiting the host site using Internet Explorer, you get something entirely different: a “landing page” for Redkit. These landing pages scan your computer for vulnerable software that they can exploit (usually Java, Acrobat, or Flash). Once this is accomplished, the attacker has full control of your computer, and will kindly give you a piece of malware.
(We will get into the actual malware in a moment.)
What I found interesting is that the malware is pulled from a very legitimate looking site: hosthealthcare[.]com
At first glance, it looked like a normal job searching site, focusing on healthcare jobs. It has an interactive site navigation bar that leads you to all sorts of pages around the site. They even have links to their social media sites like Facebook, Linkedin, Twitter etc.
But some things about it didn't look legitimate. It looked fancy and elaborate, but if I clicked on any of the links, the only thing I got was a 404 error (not found):
Also, my wife, who does research in spam and scams [now there's a marriage made in heaven! --C.L.], pointed out that the stock images they used are some of the same photos that are used by the fake Canadian pharmacy scams:
I wasn’t able to find an exact match, but she immediately recognized the brunette woman from the fake pharmacy sites that she finds, and the blond looked familiar, too.
At this point I was completely convinced that this was NOT a legitimate site. We have seen the Bad Guys do stuff like this before: use a generic website template and fill it with text for search engine poisoning attacks.
So I google'd their phone number; all the links I got were 404’s again:
But on a whim, I decided to give them a call, expecting to get a disconnected line or at best a guy from a foreign country that would try to sell me something. However, I ended up connecting to a nice lady who indeed claimed to be from Host Healthcare. Surprised, I began to question her about the company. All of her answers seemed to be honest and legitimate.
How about that? This is a real website for a real business!
I explained to her what I was doing and she put me in touch with a supervisor to talk about their website being hacked...
Leaving Big Footprints Behind
That link downloaded a malicious PDF from hosthealthcare.com (987.pdf) that exploited CVE-2010-0188. This PDF had a very low detection rate in Virustotal:
That PDF downloaded an executable file, also from hosthealthcare.com. This had a better detection rate, but not by much:
This executable is a keylogger. It runs every time you start up your computer and hooks into your keyboard; then, every time you type something, it sends it back to:
So whenever you log in to your e-mail or bank account, the Bad Guys would have your password.