Blog
They don’t call it the World “Wild” Web for nothing....
08.17.2007 - 3:10 PMPrevious Posts
August 2007| 08/25/2007 | Do we protect against the STORM attacks? » |
| 08/20/2007 | New filename for Storm Trojan / Bot » |
| 08/17/2007 | They don’t call it the World “Wild” Web for nothing.... » |
+ July 2007
+ June 2007
+ May 2007
+ April 2007
+ March 2007
Now obviously the web is an entanglement of pages connected together through links. Recently I started researching a set of pages which lead me down such an entanglement. This time it was different though as each step along the way I found compromised machines in different locations. While some of them were connected to each other, many were hosted in other geographies. The one commonality was the motive operandi: to steal data by installing information stealing Trojan Horses. These included; banking password stealers, general information grabbers, and game stealing code.
The research started with a site that was compromised and hosted in China. The sites original purpose was a property consulting firm, however now it appeared to be hosting a Trojan Horse command and control panel. These are becoming more popular as the web is a great way to control backdoors on machines and infected bot armies. The original site did not just have the login information however it also had two iframe references to other sites…this is where the fun begins.
Screenshot of originally infected site:
Upon visiting the first site (which by-the-way had > 100 hits on MSN Search and Baidu’s search page) users would be redirected to more than 18 individual sites, 30 pages, in 5 different countries. All of this happens behind the scenes as the sites are all referenced via iframes in the HTML.
We have attempted to display the site mappings in the following diagram (the background is one of the pages obfuscated script).
The above image attempts to map out the sites and pages that get loaded when visiting the top level site. Two of the original iframes that are loaded lead to exploit sites which attempt to load Trojan Horses when visiting them. For the sake of brevity we are going to go down the path of site #2 and site #4.
Site #2 is hosted in China and the entire site has been compromised. Almost every single page we connected to had iframes pointing to several other sites which, almost always, lead to exploit code. We followed site #2 through one of the iframes, which is referenced as site #4.
Site #4 is hosted in Russia, is also compromised, and had four individual iframes within its page. Each of the iframes pointed to unique sites that were hosted in: China, Korea, USA, and Canada. And each one of those sites had unique iframes pointing to sites also. After two levels deep from site #4 we finally found the exploit code. The exploit code on each machine was different however in some cases attempted to download and load the same information stealing binary file and run it.
Thankfully we have automated processes to do the majority of our discovery, analysis, and reporting, but it is all too often we find ourselves tracing compromised site after site spread out amongst several locations and with different infection tactics on each.
I guess, such is the World “Wild” Web.
