An OpenX Malvertising Attack
[Just enough time to get this out, before I leave for the airport, as I'm heading out to California for the RSA Conference. Tim and I will be presenting on some shady goings-on in the area of Internationalized Domain Names, so if you'll be at RSAC next week, drop by our session on Thursday morning to see what we've been up to in the lab lately! Anyway, this post is from two days ago (2/19) but things were too busy with a development project to roll it out then...]
Lately, it seems like all of the malvertising attacks we've written about have been of the "set up server, get it trusted by the big ad networks, and then go rogue" variety. However, there's another way to go about malvertising: hack an ad server that's already trusted to serve ads, and piggyback on those.
I thought about that blog post a couple of days ago, when I saw this page as I was checking out the source of traffic feeding into a malicious network:
That's right -- it's our old friend, OpenX, hacked again!
The traffic flow in the attack looks like this:
- x.cel.ro -- the unwitting malvertising server.
- certain.tribaltim.com -- a hijacked subdomain hosting a relay page.
- v426kun.glaciersea.pw -- the exploit kit.
Some additional notes:
- cel.ro is a large Romanian shopping site. It serves ads, via its x.cel.ro server, to a bunch of other Romanian sites, which broadened the reach of the attack.
- Several other OpenX ad servers were also found to sending traffic into the attack network. Examples included Hungarian (ads.business.hr), German (lehnen.lehnen-werbeagentur.de), and Arabic (openx.alarab.net) sites. It wasn't obvious that all of the sites involved in the traffic were using OpenX, but there were enough examples to provide evidence of some sort of common vulnerability in that platform, given the wide distribution of the servers.
- tribaltim.com is part of a family of legitimate sites dating back several years, that appear to be currently on hiatus. While the main sites take a break, however, the Bad Guys have set up a number of subdomains on a different IP address (in addition to certain.tribaltim.com, they used castle.tribaltim.com, ceiling.tribaltim.com, and census.tribaltim.com). This leads us to suspect that they've compromised the GoDaddy account of that site's webmaster...
- glaciersea.pw (which used a dozen or more different junk subdomains during its short-but-interesting life) is part of a well-known attack network that we've been following in Malnet Tracker for a long time now. (The current server has been IP hopping for five or six days now, but we've been tracking this network for longer than that...)