Dutch news site nu[dot]nl infected [14 March 2012]

It seems that the Dutch news site nu[dot]nl is infected, detected by Erik and Mark Loman of HitManPro.

Dutch news about it at:
http://www.hcc.nl/vereniging/vereniging-nieuws/trojaans-paard-op-nunl-ontdekt
http://www.security.nl/artikel/40727/1/NU.nl_besmet_bezoekers_met_malware.html

 

Can you give a brief info in English on what happened? What kind of infection, is it fixed etc etc

 

Here you go

"An ad was infected on NU.nl (a fairly popular Dutch news site) with an Java Exploit (targetting old Java versions), which tried to install an adopted version of the Sinowal rootkit (which tries to collect info on banking accounts). Ad linked to an Indian site on which the exploit was hosted. Due to large traffic the Indian site went down."

 

Hi Cudni,

It was first detected today by Erik or Mark Loman during a demonstration by SurfRight at an open day of the Dutch Hobby Computer Club HCC.
It was detected by accident when suddenly was asked for Java while Mark says he has no Java installed.
It seems to be a Java exploit that wants to install a version of Sinowal (rootkit aimed at stealing bank-accounts and infecting MBR).
At first was thought it was coming from an advertisement.
Later it looked that the attacker had acces to the nu[dot]nl webserver.
The exploits seem to be part of the 'Nuclear Exploit Pack', using exploits in Java, Flash, Adobe Reader.

At 16.10 hour (Dutch time) the owner of nu[dot]nl did let know that account data of Content Management Systeem (CMS) were in the wrong hands. All accounts were renewed by the owner. Logs were saved. All code will be inspected. The site will be build up again; that might take at least up to 02.00 hour (Dutch time).

From what I understand at the time of the detection no scanner at VirusTotal were detecting it at that time.

 

Ahh, good old Java again.

 

Also posted at Dutch site Tweakers.net with long discussion (which I haven't read at the moment):
http://tweakers.net/nieuws/80668/nu-punt-nl-serveerde-kortstondig-malware.html

and the usual confusion between Java and Java-script

Erik Loman posted at Twitter:
-https://twitter.com/#!/erikloman/status/179889389432877057
But I refuse to use Twitter so if anyone can post the content of that (if allowed)....

 

According to the analysis on the weblog of Sijmen Ruwhof, the obfuscated javascript was checking if older versions of Adobe Reader 8 to 9.3 or Java 5 to 5.0.23 / 6 to 6.0.27 were installed.
If so, users were treated to a 'Blackhole/Sinowal/Torpig' variant. (Sijmen Ruwhof weblog (in dutch) link).

 

Yep, thanks Baserk. It is the best "breakdown" sofar I have seen.

 

We have just released a BETA update of HitmanPro that detects and removes the NU.nl malware Sinowal.knf.

32-bit: http://dl.surfright.nl/HitmanPro36beta.exe
64-bit: http://dl.surfright.nl/HitmanPro36beta_x64.exe

 

HitmanPro 3.6 Build 148 Released

• NEW: Added detection and removal of Sinowal.knf rootkit (aka Mebroot, Torpig).
  This rootkit was served through the Dutch NU.nl news site on March 14, 2012 from 11:30 till 13:42.
  See also: http://www.nu.nl/internet/2763447/korte-tijd-malware-verspreid-via-nunl.html
• IMPROVED: Crusader malware removal engine to counter watchdogs.
• IMPROVED: Detection and removal of 64-bit variant of ZeroAccess (aka Sirefef).
  Detects and removes the Desktop.ini ZeroAccess files in the assembly folder.
• INFO: Hitman Pro is called HitmanPro. On Twitter use #HitmanPro.
• Several other minor improvements.

 

Thanks Erik.

 

The Dutch site Waarschuwingdienst.nl is giving a warning about the infection that yesterday happened at the Dutch news site nu.nl. Waarschuwingsdienst.nl is the Dutch National Alerting Service. The National Alerting Service resides within GOVCERT.NL, the Computer Emergency Response Team for the Dutch government.

In Dutch:
http://www.waarschuwingsdienst.nl/R...025 Nieuwssite NU.nl verspreidde malware.html

===

The weblog of nu.nl has two postings about it today, in Dutch:
-http://nuweblog.wordpress.com/2012/03/15/update-malware-verspreid-via-nu-nl/

-http://nuweblog.wordpress.com/2012/03/15/cyberaanval-op-nu-nl-update-2/

===

May I ask Mark and Erik Loman of Surfright (HitmanPro) urgently but also in the most friendly way to share their samples about this infection with the other AV vendors (if not already done so). Please guys, please!

 

According to the Dutch broadcast company NOS (at teletekst) the Dutch security company Fox-IT is estimating that maybe 100.000 computers in The Netherlands are infected due to that infection at nu[dot]nl

 

There is now an article in English at the weblog Fox-IT of Dutch security company Fox-IT.
(BTW Fox-IT is for example well known when they were asked by the Dutch government to investigate the DigiNotar hack last year).

It is a long and detailed analysis.
All AV/AT/AS/AM vendors are encougared to read it.

It gives VT-links for two Smokeloader Trojans that were used.

and then follows the two VT-links.

Rootkits Sinowal/Mebroot were involved.

I quote the end of he article:

Read more

 

Luckily a calando finale; over 100.000 'infections' by succesfully hacking one of the most read dutch news sites, offering a banking trojan just around lunch time and now it appears that this specific Sinowal trojan is actually malfunctioning and possibly only effective in less than 0.5% of total 'infected' PC's.

 

Yes, your are right Baserk.

But:
1.
The two SmokeLoader Trojans were initially not detected by almost all AV's; that has now improved.
2.
Fox-IT only looked at corporate computers. How about the home computers?
3.
The end conclusion:

They are not able to verify why this happened.
4.
Is the situation about detecting and cleaning of Sinowal/Mebroot that bad, generally speaking?

 

Mark Loman explains best in his posts on Tweakers forum link (sorry folks, Dutch forum link)

He explains that the way the rootkit copies a clean version of the MBR to a different sector and then 'presents' it during an AV scan, makes it difficult to detect the rootkit.
Cleaning is more difficult because of it's own self protection, a reg key is added and watched over by a separate hidden thread/'watchdog'. Detection of such a new variant is one thing but cleaning another. HMP3 and Kaspersky TDSS Killer can do both.
Mark Loman also refers to a Sinowal analysis from Prevx; PDF link

 

The Fox-IT article is saying:

I'm wondering whether the Eset standalone cleaner for Mebroot was tried and if so whether it was successful in cleaning.
http://kb.eset.com/esetkb/index?page=content&id=SOLN2372

 

Good question. The Mebroot cleaner is from 2010. I just tried it:

We are going to release the infected VMware session to AV partners so they can improve their products. We already delivered it to McAfee.

 

Thanks Erik!

PS: only now saw your blog:
http://hitmanpro.wordpress.com/2012/03/16/rescue-mission/

 

I'm not asking to divulge strategic company information but how is McAfee one of your AV partners?
Simply as in one of the several/many AV companies you share samples with?
Did they ask you or did you offer them the VMWare session?

 

Aha, at first I did read Erik's "We are going to release the infected VMware session to AV partners" in the way that it would be send to all AV vendors, but I see now that I might have misunderstood it (or not?).

Erik,
I too am not asking for your company's secrets. All I am asking is: please share samples or that infected VMware session with all the other AV vendors. Thanks.

 

McAfee asked for the session.

 

The samples wont unpack anymore. We share the session with every AV vendor who asks for it.

Hope this helps.

 

Hi Erik,

Thanks for your reply.
Pity that the samples wont unpack anymore, but I guess that's how the "nature" of this infection works.
I do appreciate that you will share the VMware session with every AV vendor! That's what I wanted to hear; thanks.
I don't know whether it is common policy that other AV vendors have to ask for it or that it will be shared without asking for it anyway.
Neither can I tell of how much value the infected VMware session is for the analysts of the AV vendors.

Thanks again.

Regards,
Jan