Dutch news site nu[dot]nl infected [14 March 2012]

FanJ · #1 March 14th, 2012, 05:50 PM

It seems that the Dutch news site nu[dot]nl is infected, detected by Erik and Mark Loman of HitManPro.

Dutch news about it at:
http://www.hcc.nl/vereniging/verenig...p-nunl-ontdekt
http://www.security.nl/artikel/40727...t_malware.html

Cudni · #2 March 14th, 2012, 06:09 PM

Can you give a brief info in English on what happened? What kind of infection, is it fixed etc etc

Kees1958 · #3 March 14th, 2012, 06:28 PM

Here you go

"An ad was infected on NU.nl (a fairly popular Dutch news site) with an Java Exploit (targetting old Java versions), which tried to install an adopted version of the Sinowal rootkit (which tries to collect info on banking accounts). Ad linked to an Indian site on which the exploit was hosted. Due to large traffic the Indian site went down."

FanJ · #4 March 14th, 2012, 06:31 PM

Quote:

Originally Posted by Cudni

Can you give a brief info in English on what happened? What kind of infection, is it fixed etc etc

Hi Cudni,

It was first detected today by Erik or Mark Loman during a demonstration by SurfRight at an open day of the Dutch Hobby Computer Club HCC.
It was detected by accident when suddenly was asked for Java while Mark says he has no Java installed.
It seems to be a Java exploit that wants to install a version of Sinowal (rootkit aimed at stealing bank-accounts and infecting MBR).
At first was thought it was coming from an advertisement.
Later it looked that the attacker had acces to the nu[dot]nl webserver.
The exploits seem to be part of the 'Nuclear Exploit Pack', using exploits in Java, Flash, Adobe Reader.

At 16.10 hour (Dutch time) the owner of nu[dot]nl did let know that account data of Content Management Systeem (CMS) were in the wrong hands. All accounts were renewed by the owner. Logs were saved. All code will be inspected. The site will be build up again; that might take at least up to 02.00 hour (Dutch time).

From what I understand at the time of the detection no scanner at VirusTotal were detecting it at that time.

dw426 · #5 March 14th, 2012, 06:41 PM

Ahh, good old Java again.

FanJ · #6 March 14th, 2012, 07:33 PM

Also posted at Dutch site Tweakers.net with long discussion (which I haven't read at the moment):
http://tweakers.net/nieuws/80668/nu-...g-malware.html

and the usual confusion between Java and Java-script

Erik Loman posted at Twitter:
-https://twitter.com/#!/erikloman/status/179889389432877057
But I refuse to use Twitter so if anyone can post the content of that (if allowed)....

Baserk · #7 March 14th, 2012, 08:20 PM

According to the analysis on the weblog of Sijmen Ruwhof, the obfuscated javascript was checking if older versions of Adobe Reader 8 to 9.3 or Java 5 to 5.0.23 / 6 to 6.0.27 were installed.
If so, users were treated to a 'Blackhole/Sinowal/Torpig' variant. (Sijmen Ruwhof weblog (in dutch) link).

FanJ · #8 March 14th, 2012, 08:38 PM

Yep, thanks Baserk. It is the best "breakdown" sofar I have seen.

erikloman · #9 March 15th, 2012, 06:54 AM

We have just released a BETA update of HitmanPro that detects and removes the NU.nl malware Sinowal.knf.

32-bit: http://dl.surfright.nl/HitmanPro36beta.exe
64-bit: http://dl.surfright.nl/HitmanPro36beta_x64.exe

erikloman · #10 March 15th, 2012, 08:14 AM

HitmanPro 3.6 Build 148 Released

NEW: Added detection and removal of Sinowal.knf rootkit (aka Mebroot, Torpig).
This rootkit was served through the Dutch NU.nl news site on March 14, 2012 from 11:30 till 13:42.
See also: http://www.nu.nl/internet/2763447/ko...-via-nunl.html
IMPROVED: Crusader malware removal engine to counter watchdogs.
IMPROVED: Detection and removal of 64-bit variant of ZeroAccess (aka Sirefef).
Detects and removes the Desktop.ini ZeroAccess files in the assembly folder.
INFO: Hitman Pro is called HitmanPro. On Twitter use #HitmanPro.
Several other minor improvements.

FanJ · #11 March 15th, 2012, 08:25 AM

Thanks Erik.

FanJ · #12 March 15th, 2012, 04:58 PM

The Dutch site Waarschuwingdienst.nl is giving a warning about the infection that yesterday happened at the Dutch news site nu.nl. Waarschuwingsdienst.nl is the Dutch National Alerting Service. The National Alerting Service resides within GOVCERT.NL, the Computer Emergency Response Team for the Dutch government.

In Dutch:
http://www.waarschuwingsdienst.nl/Ri...e+malware.html

===

The weblog of nu.nl has two postings about it today, in Dutch:
-http://nuweblog.wordpress.com/2012/03/15/update-malware-verspreid-via-nu-nl/

-http://nuweblog.wordpress.com/2012/03/15/cyberaanval-op-nu-nl-update-2/

===

May I ask Mark and Erik Loman of Surfright (HitmanPro) urgently but also in the most friendly way to share their samples about this infection with the other AV vendors (if not already done so). Please guys, please!

FanJ · #13 March 15th, 2012, 08:29 PM

According to the Dutch broadcast company NOS (at teletekst) the Dutch security company Fox-IT is estimating that maybe 100.000 computers in The Netherlands are infected due to that infection at nu[dot]nl

FanJ · #14 March 16th, 2012, 06:06 PM

There is now an article in English at the weblog Fox-IT of Dutch security company Fox-IT.
(BTW Fox-IT is for example well known when they were asked by the Dutch government to investigate the DigiNotar hack last year).

It is a long and detailed analysis.
All AV/AT/AS/AM vendors are encougared to read it.

It gives VT-links for two Smokeloader Trojans that were used.

Quote:

Even 9 hours after the smokeloader Trojan executables were in the wild, the executables were not recognized by the majority of anti-virus products

and then follows the two VT-links.

Rootkits Sinowal/Mebroot were involved.

I quote the end of he article:

Quote:

Now comes the interesting part, the SmokeLoader C&C server distributed Sinowal, which has been around for a good 6 years now and has been active in The Netherlands from time to time since 2007. The SmokeLoader distributed a component known as ‘miniloader’, which downloads the installer component from the Sinowal installer server. On Windows 2000 and Windows XP it will install the MBR bootkit, which is used since the end of 2007 as the method of startup, which is also commonly referred to as Mebroot. Only a few security products are able to detect this modified MBR from a running system and even less are able to actually clean it. HitmanPro from SurfRight and Tdsskiller from Kaspersky are two products that were confirmed to remove the bootkit component on Windows 2000 and Windows XP systems. On Windows Vista and Seven systems the threat would install a userland component but we have not verified this during the nu.nl compromise.

We have investigated a couple hundred infections on corporate networks, but one odd thing appeared, the Trojan did appear to be malfunctioning, from all the infections we investigated, only one infection actually connected to the Sinowal command and control infrastructure that would indicate a successful infection. We are not sure why this happens and are unable to verify the reason for this. We have heard the same story from other researchers in the field and are not able to verify why this happens, but time will tell…

Read more

Baserk · #15 March 16th, 2012, 08:30 PM

Luckily a calando finale; over 100.000 'infections' by succesfully hacking one of the most read dutch news sites, offering a banking trojan just around lunch time and now it appears that this specific Sinowal trojan is actually malfunctioning and possibly only effective in less than 0.5% of total 'infected' PC's.

FanJ · #16 March 16th, 2012, 08:43 PM

Quote:

Originally Posted by Baserk

Luckily a calando finale; over 100.000 'infections' by succesfully hacking one of the most read dutch news sites, offering a banking trojan just around lunch time and now it appears that this specific Sinowal trojan is actually malfunctioning and possibly only effective in less than 0.5% of total 'infected' PC's.

Yes, your are right Baserk.

But:
1.
The two SmokeLoader Trojans were initially not detected by almost all AV's; that has now improved.
2.
Fox-IT only looked at corporate computers. How about the home computers?
3.
The end conclusion:

Quote:

We have investigated a couple hundred infections on corporate networks, but one odd thing appeared, the Trojan did appear to be malfunctioning, from all the infections we investigated, only one infection actually connected to the Sinowal command and control infrastructure that would indicate a successful infection. We are not sure why this happens and are unable to verify the reason for this. We have heard the same story from other researchers in the field and are not able to verify why this happens, but time will tell…

They are not able to verify why this happened.
4.
Is the situation about detecting and cleaning of Sinowal/Mebroot that bad, generally speaking?

Baserk · #17 March 16th, 2012, 10:09 PM

Quote:

Originally Posted by FanJ

...
Is the situation about detecting and cleaning of Sinowal/Mebroot that bad, generally speaking?

Mark Loman explains best in his posts on Tweakers forum link (sorry folks, Dutch forum link)

He explains that the way the rootkit copies a clean version of the MBR to a different sector and then 'presents' it during an AV scan, makes it difficult to detect the rootkit.
Cleaning is more difficult because of it's own self protection, a reg key is added and watched over by a separate hidden thread/'watchdog'. Detection of such a new variant is one thing but cleaning another. HMP3 and Kaspersky TDSS Killer can do both.
Mark Loman also refers to a Sinowal analysis from Prevx; PDF link (-http://www.aall86.altervista.org/files/Sinowal_new_Analysis.pdf-)

FanJ · #18 March 19th, 2012, 02:49 PM

The Fox-IT article is saying:

Quote:

On Windows 2000 and Windows XP it will install the MBR bootkit, which is used since the end of 2007 as the method of startup, which is also commonly referred to as Mebroot. Only a few security products are able to detect this modified MBR from a running system and even less are able to actually clean it. HitmanPro from SurfRight and Tdsskiller from Kaspersky are two products that were confirmed to remove the bootkit component on Windows 2000 and Windows XP systems.

I'm wondering whether the Eset standalone cleaner for Mebroot was tried and if so whether it was successful in cleaning.
http://kb.eset.com/esetkb/index?page...nt&id=SOLN2372

erikloman · #19 March 19th, 2012, 03:19 PM

Quote:

Originally Posted by FanJ

The Fox-IT article is saying:

I'm wondering whether the Eset standalone cleaner for Mebroot was tried and if so whether it was successful in cleaning.
http://kb.eset.com/esetkb/index?page...nt&id=SOLN2372

Good question. The Mebroot cleaner is from 2010. I just tried it:

Click image for larger version

Name: Windows XP Home Edition EN-2012-03-19-20-15-35.png
Views: 21
Size: 77.0 KB
ID: 232189

We are going to release the infected VMware session to AV partners so they can improve their products. We already delivered it to McAfee.

FanJ · #20 March 19th, 2012, 07:02 PM

Quote:

Originally Posted by erikloman

Good question. The Mebroot cleaner is from 2010. I just tried it:
Attachment 232189
We are going to release the infected VMware session to AV partners so they can improve their products. We already delivered it to McAfee.

Thanks Erik!

PS: only now saw your blog:
http://hitmanpro.wordpress.com/2012/...escue-mission/

Baserk · #21 March 20th, 2012, 02:39 PM

Quote:

Originally Posted by erikloman

...
We are going to release the infected VMware session to AV partners so they can improve their products. We already delivered it to McAfee.

I'm not asking to divulge strategic company information but how is McAfee one of your AV partners?
Simply as in one of the several/many AV companies you share samples with?
Did they ask you or did you offer them the VMWare session?

FanJ · #22 March 20th, 2012, 04:18 PM

Aha, at first I did read Erik's "We are going to release the infected VMware session to AV partners" in the way that it would be send to all AV vendors, but I see now that I might have misunderstood it (or not?).

Erik,
I too am not asking for your company's secrets. All I am asking is: please share samples or that infected VMware session with all the other AV vendors. Thanks.

erikloman · #23 March 21st, 2012, 01:43 PM

Quote:

Originally Posted by Baserk

I'm not asking to divulge strategic company information but how is McAfee one of your AV partners?
Simply as in one of the several/many AV companies you share samples with?
Did they ask you or did you offer them the VMWare session?

McAfee asked for the session.

erikloman · #24 March 21st, 2012, 01:45 PM

Quote:

Originally Posted by FanJ

Aha, at first I did read Erik's "We are going to release the infected VMware session to AV partners" in the way that it would be send to all AV vendors, but I see now that I might have misunderstood it (or not?).

Erik,
I too am not asking for your company's secrets. All I am asking is: please share samples or that infected VMware session with all the other AV vendors. Thanks.

The samples wont unpack anymore. We share the session with every AV vendor who asks for it.

Hope this helps.

FanJ · #25 March 21st, 2012, 06:45 PM

Quote:

Originally Posted by erikloman

The samples wont unpack anymore. We share the session with every AV vendor who asks for it.

Hope this helps.

Hi Erik,

Thanks for your reply.
Pity that the samples wont unpack anymore, but I guess that's how the "nature" of this infection works.
I do appreciate that you will share the VMware session with every AV vendor! That's what I wanted to hear; thanks.
I don't know whether it is common policy that other AV vendors have to ask for it or that it will be shared without asking for it anyway.
Neither can I tell of how much value the infected VMware session is for the analysts of the AV vendors.

Thanks again.

Regards,
Jan

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search