Domain Shadowing Attack Vector Lands in Angler Exploit Kit

Discussion in 'malware problems & news' started by Dermot7, Mar 8, 2015.

  1. Dermot7

    Dermot7 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    3,196
    Location:
    Surrey, England.
    http://www.eweek.com/security/domain-shadowing-attack-vector-lands-in-angler-exploit-kit.html

    http://blogs.cisco.com/security/talos/angler-domain-shadowing

     
  2. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    While this itself is interesting, it shouldn't affect IP reputation much, and ofc don't affect IPS blocking capability.
     
  3. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I don't see this as especially threatening to the home user, unless, as mentioned in the Cisco blog cited by Dermot7 :
    Domain Shadowing is just the latest in the evolving "evasive techniques." An early technique mentioned back in 2007 by Finjan:

    Finjan's Latest Web Security Trends Report Reveals New Genre of Evasive Attacks
    http://www.prnewswire.com/news-rele...ls-new-genre-of-evasive-attacks-57764697.html
    June 2007
    Just prior to finding that report, I had encountered a redirection exploit and was able to run it from the URL just one time. I didn't know why, until the Finjan report explained. It's purpose was to keep Anti-malware people from analyzing the exploit. Its weakness, though, was you just had to reboot your computer and obtain a new IP address, and you could run the attack again.

    In 2010 with the lenovo.com fiasco, that domain was compromised to redirect to a page that used the evasive technique. That page hosted the Phoenix Exploit Kit which served up a JAVA exploit, downloading a trojan executable. JAVA was more widely used back then, but if you had JAVA whitelisted, the exploit failed to run.

    Then followed the "Advanced Evasive Techniques," which just made them a bit more sophisticated.

    "Fast Flux" was next:

    http://www.pctools.com/security-news/fast-flux-botnet/
    And now "Domain Shadowing." As with the earlier evasive technique, analysis of the exploit is made more difficult. From Cisco:
    So, how does the "attack" work? The Cisco blog cited by Dermot7 has a nice diagram:

    http://blogs.cisco.com/security/talos/angler-domain-shadowing

    Scroll down to "Analysis of Subdomains." The diagram shows the sequence of events taking the user to the "landing page." Note the skull and bones icon under the caption, "System is compromised" -- there to scare the reader, of course.

    But does it matter that these domains are constantly changing? Does it make the attack more serious whether the exploit kit is hosted on this domain, or that domain? What happens when the user arrives on the landing page with the exploit kit? Cisco continues:
    Well, well, is anything really new?

    Cisco's conclusion:
    Why is it that we never see statements like the following?

    ----
    rich
     
    Last edited: Mar 11, 2015
  4. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    Thanks for great explanation!
    Yup, surely. If one don't want to bothered by Noscript or so, even just enabling click-to-play will make difference tho not perfect. Also using Chrome and do not allow unsandboxed plugin access to PC is another counter measure. And in this particular case, as it is malvertising, even blocking ads can save many people tho again not perfect. I actually visited Dailymotion just before Angler infected ads on it, but I got no alert either from AV or anti-exploit.
    Maybe I was just (un)lucky but to be honest I wonder how can we actually come across in-the-wild exploit except intended testing. Most warning I got seemed to be FPs tho I havn't confirmed all of them. At least all I reported were confirmed as FP.
     
  5. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    You are welcome, Yuki.
    I've wondered that for many years!

    Now, the Dailymotion hack received a lot of press coverage, with misleading information and the usual doomsday scenario. A typical example:

    http://www.sci-tech-today.com/story.xhtml?story_id=0020006M9I4A
    Infection Happens 'Automatically'
    A more accurate statement would be that "Redirection happens automatically." One needs to remember that the user is redirected away from the Dailymotion site, else you might think that the attack code and payload are on the Dailymotion site. (This is shown in the diagram I referred to in my post above.) Even at that point, though, the infection may not be automatic, depending on the user's setup.

    You mention the Angler Exploit Kit, which has acquired quite a reputation. A few descriptions from the press:
    If you read the comprehensive analyses, you see that the sophistication refers to two sections of the attack. The first is the landing page itself:

    http://community.websense.com/blogs...xploit-kit-operating-at-the-cutting-edge.aspx
    This is of concern if the user's security depends on detecting known signature code/behavior. If that security fails at this point, the exploit runs. The article continues with the second area of sophistication:
    Now, all of this makes for fascinating reading. The press loves "doomsday scenarios," and we can ooh and ahh (be impressed) by this sophistication. But the infection is not automatic when you examine what this Exploit Kit contains. At the moment, the exploits are Flash and Silverlight, both plug-ins.

    If the user is concerned about encountering such an exploit, one preventative solution is to have plug-ins configured per site. Then, if redirected to a landing page (an unauthorized site) the exploit does not run.

    And, as you point out, if you have some control over advertisements, you might not even get redirected from the orginal site (Dailymotion in your case)!

    Years ago I decided for myself that the Firewall and the Browser were the two most important security products I could have. Nothing since then has changed my mind.

    REFERENCES

    http://www.zdnet.com/article/protect-yourself-from-flash-attacks-in-internet-explorer/
    http://kb.mozillazine.org/Flash#Enabling_and_disabling_Flash

    regards,

    ----
    rich
     
  6. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    Well, I personally do not like those things being used in marketing and advertising for security products, as we know, actually we can be safe even w/out such products 99% of times provided we took proper measure.

    What more important is block all major attack paths in some levels rather than using certain product, and we have nearly infinite ways to achieve this, ofc including but not limited to using such products.

    But I'm aware most of talk here are more of hobby rather than actual fear or practical precaution. We just enjoy talking about those "advanced" threats and techniques.
     
  7. RJK3

    RJK3 Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    855
    That's very useful to know. Sometimes security bulletins miss out on vital information, all too often the actual mechanism of infection.

    As long as exploit kits continue to host malware on external sites, then there is no risk for me after all.
     
  8. RJK3

    RJK3 Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    855
    There was a time years ago when a particular web-server exploit allowed many sites to become automatically compromised, and their website code altered to contain a hidden iframe redirecting users to another site hosting an exploit kit. Local businesses and government websites were affected, so the average user was quite likely to encounter an exploit kit.

    If you weren't vulnerable to it, and your AV didn't catch the obfuscated exploit script, then you likely wouldn't have noticed any problem. Also keep in mind that some of these IPs or domains become abandoned within hours of having served malware, so they could easily appear to be an FP.

    It was a fun time, as the obfuscated code made it easy to check websites by hand (without needing tools like Wepawet), so you could easily confirm for people which website was hosting malicious code.
     
  9. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    I've been keeping up-to-date from my first usage of my PC, and when I got warning basically I don't go on unless really needed. When needed, if possible I wait confirmation. If not possible, I use proxy gateway service and not directly go.

    Yup, when server is infiltrated and embeded obfuscated code, it's easy to find them from within source code.
     
  10. Dermot7

    Dermot7 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    3,196
    Location:
    Surrey, England.
    http://research.zscaler.com/2015/04/angler-exploit-kit-utilizing-302.html
     
  11. Dermot7

    Dermot7 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    3,196
    Location:
    Surrey, England.
    http://blogs.cisco.com/security/talos/nuclear-sophistication
     
  12. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    http://blogs.cisco.com/security/talos/nuclear-sophistication
    But the attack method hasn't changed:
    ----
    rich
     
Loading...