Redkit Malvertising Attack Via Zedo

[Great post from Jeff yesterday on our internal blog. --C.L.]

Meet the Face of Evil.

Would you believe that this:

is actually a cover for this?

The latter image is a screenshot of Redkit, a Russian-made exploit kit designed to distribute malware quickly and effectively, and available for a small fee. Exploit kits have become very popular in the last few years for that reason. The more unsuspecting visitors you can drive to a site with an exploit kit, the more people you will infect with your malware. (I’ve talked about exploit kits before: here and here.)

A popular method of driving people to a site hosting an exploit kit is through web advertisements, especially if the attacker can leverage a trusted ad service. The unfortunate truth is that web advertisers do not properly vet every ad they distribute. They typically accept ads from third parties who, in turn, take ads from other third parties. In their defense, it is a hard job to vet every ad that goes through their systems, but that doesn't mean they shouldn't be held accountable when malware gets through.

Yesterday, we saw such an attack come through zedo.com.

The attack begins with an advertisement that is loaded onto a legitimate site, via a URL like this:

   c5.zedo [.] com/jsc/c5/ff2.html?n=2164;c=2;s=2;d=14;w=728;h=90

Visiting the host site with Mozilla Firefox showed a legitimate advertisement trying to get you to book a trip to Switzerland:

However, if you happened to be visiting the host site using Internet Explorer, you get something entirely different: a “landing page” for Redkit. These landing pages scan your computer for vulnerable software that they can exploit (usually Java, Acrobat, or Flash).  Once this is accomplished, the attacker has full control of your computer, and will kindly give you a piece of malware.

(We will get into the actual malware in a moment.)

What I found interesting is that the malware is pulled from a very legitimate looking site: hosthealthcare[.]com

At first glance, it looked like a normal job searching site, focusing on healthcare jobs. It has an interactive site navigation bar that leads you to all sorts of pages around the site. They even have links to their social media sites like Facebook, Linkedin, Twitter etc.

But some things about it didn't look legitimate. It looked fancy and elaborate, but if I clicked on any of the links, the only thing I got was a 404 error (not found):

Also, my wife, who does research in spam and scams [now there's a marriage made in heaven! --C.L.], pointed out that the stock images they used are some of the same photos that are used by the fake Canadian pharmacy scams:

I wasn’t able to find an exact match, but she immediately recognized the brunette woman from the fake pharmacy sites that she finds, and the blond looked familiar, too.

At this point I was completely convinced that this was NOT a legitimate site. We have seen the Bad Guys do stuff like this before: use a generic website template and fill it with text for search engine poisoning attacks.

So I google'd their phone number; all the links I got were 404’s again:

But on a whim, I decided to give them a call, expecting to get a disconnected line or at best a guy from a foreign country that would try to sell me something. However, I ended up connecting to a nice lady who indeed claimed to be from Host Healthcare. Surprised, I began to question her about the company. All of her answers seemed to be honest and legitimate.

How about that? This is a real website for a real business!

I explained to her what I was doing and she put me in touch with a supervisor to talk about their website being hacked...

Leaving Big Footprints Behind

We see a lot of legitimate sites get compromised. After the Bad Guys get into to the server, they have several ways of infecting the site with bad things: malicious iframes, apache modules, javascript, or simple embedded links. When the Bad Guys infiltrated this site, they must not have been very delicate with whatever they did. In the process of infecting the server with malware, they broke stuff, leading to all of the 404 errors.

The Payload

In order to exploit your machine, the exploit kit must first find vulnerable software you are running. This is done with Javascript. Anti-virus programs know this, and therefore try to detect Javascript that may be scanning for vulnerable software. In response to this, exploit kits obfuscate their Javascript code. Wepawet is a useful service that tries to deobfuscate and analyze Javascript, and can often spot malicious script. In this case however, Wepawet was unable to determine that it was malicious.

The Javascript scans your computer for your browser type.  If the browser being used is Internet Explorer, it then proceeds to send you a different Web Ad, which contained a link to the site hosting malware. 

That link downloaded a malicious PDF from hosthealthcare.com (987.pdf) that exploited CVE-2010-0188. This PDF had a very low detection rate in Virustotal:

That PDF downloaded an executable file, also from hosthealthcare.com. This had a better detection rate, but not by much:

This executable is a keylogger. It runs every time you start up your computer and hooks into your keyboard; then, every time you type something, it sends it back to:

612dd5aa7f20fb75[.]com

So whenever you log in to your e-mail or bank account, the Bad Guys would have your password.

--J.D.