Dutch news site nu[dot]nl infected [14 March 2012]

Discussion in 'other security issues & news' started by FanJ, Mar 14, 2012.

Thread Status:
Not open for further replies.
  1. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    Last edited: Mar 14, 2012
  2. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    Can you give a brief info in English on what happened? What kind of infection, is it fixed etc etc
     
  3. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Here you go

    "An ad was infected on NU.nl (a fairly popular Dutch news site) with an Java Exploit (targetting old Java versions), which tried to install an adopted version of the Sinowal rootkit (which tries to collect info on banking accounts). Ad linked to an Indian site on which the exploit was hosted. Due to large traffic the Indian site went down."
     
  4. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    Hi Cudni,

    It was first detected today by Erik or Mark Loman during a demonstration by SurfRight at an open day of the Dutch Hobby Computer Club HCC.
    It was detected by accident when suddenly was asked for Java while Mark says he has no Java installed.
    It seems to be a Java exploit that wants to install a version of Sinowal (rootkit aimed at stealing bank-accounts and infecting MBR).
    At first was thought it was coming from an advertisement.
    Later it looked that the attacker had acces to the nu[dot]nl webserver.
    The exploits seem to be part of the 'Nuclear Exploit Pack', using exploits in Java, Flash, Adobe Reader.

    At 16.10 hour (Dutch time) the owner of nu[dot]nl did let know that account data of Content Management Systeem (CMS) were in the wrong hands. All accounts were renewed by the owner. Logs were saved. All code will be inspected. The site will be build up again; that might take at least up to 02.00 hour (Dutch time).

    From what I understand at the time of the detection no scanner at VirusTotal were detecting it at that time.
     
  5. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Ahh, good old Java again. :rolleyes:
     
  6. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    Also posted at Dutch site Tweakers.net with long discussion (which I haven't read at the moment):
    http://tweakers.net/nieuws/80668/nu-punt-nl-serveerde-kortstondig-malware.html

    and the usual confusion between Java and Java-script :rolleyes:

    Erik Loman posted at Twitter:
    -https://twitter.com/#!/erikloman/status/179889389432877057
    But I refuse to use Twitter so if anyone can post the content of that (if allowed)....
     
  7. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,317
    Location:
    AmstelodamUM
    According to the analysis on the weblog of Sijmen Ruwhof, the obfuscated javascript was checking if older versions of Adobe Reader 8 to 9.3 or Java 5 to 5.0.23 / 6 to 6.0.27 were installed.
    If so, users were treated to a 'Blackhole/Sinowal/Torpig' variant. (Sijmen Ruwhof weblog (in dutch) link).
     
  8. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    Yep, thanks Baserk. It is the best "breakdown" sofar I have seen.
     
  9. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,032
    Location:
    Hengelo, The Netherlands
  10. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,032
    Location:
    Hengelo, The Netherlands
    HitmanPro 3.6 Build 148 Released

    • NEW: Added detection and removal of Sinowal.knf rootkit (aka Mebroot, Torpig).
      This rootkit was served through the Dutch NU.nl news site on March 14, 2012 from 11:30 till 13:42.
      See also: http://www.nu.nl/internet/2763447/korte-tijd-malware-verspreid-via-nunl.html
    • IMPROVED: Crusader malware removal engine to counter watchdogs.
    • IMPROVED: Detection and removal of 64-bit variant of ZeroAccess (aka Sirefef).
      Detects and removes the Desktop.ini ZeroAccess files in the assembly folder.
    • INFO: Hitman Pro is called HitmanPro. On Twitter use #HitmanPro.
    • Several other minor improvements.
     
  11. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    Thanks Erik.
     
  12. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    The Dutch site Waarschuwingdienst.nl is giving a warning about the infection that yesterday happened at the Dutch news site nu.nl. Waarschuwingsdienst.nl is the Dutch National Alerting Service. The National Alerting Service resides within GOVCERT.NL, the Computer Emergency Response Team for the Dutch government.

    In Dutch:
    http://www.waarschuwingsdienst.nl/R...025 Nieuwssite NU.nl verspreidde malware.html

    ===

    The weblog of nu.nl has two postings about it today, in Dutch:
    -http://nuweblog.wordpress.com/2012/03/15/update-malware-verspreid-via-nu-nl/

    -http://nuweblog.wordpress.com/2012/03/15/cyberaanval-op-nu-nl-update-2/

    ===

    May I ask Mark and Erik Loman of Surfright (HitmanPro) urgently but also in the most friendly way to share their samples about this infection with the other AV vendors (if not already done so). Please guys, please!
     
  13. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    According to the Dutch broadcast company NOS (at teletekst) the Dutch security company Fox-IT is estimating that maybe 100.000 computers in The Netherlands are infected due to that infection at nu[dot]nl
     
  14. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    There is now an article in English at the weblog Fox-IT of Dutch security company Fox-IT.
    (BTW Fox-IT is for example well known when they were asked by the Dutch government to investigate the DigiNotar hack last year).

    It is a long and detailed analysis.
    All AV/AT/AS/AM vendors are encougared to read it.

    It gives VT-links for two Smokeloader Trojans that were used.
    and then follows the two VT-links.

    Rootkits Sinowal/Mebroot were involved.

    I quote the end of he article:
    Read more
     
  15. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,317
    Location:
    AmstelodamUM
    Luckily a calando finale; over 100.000 'infections' by succesfully hacking one of the most read dutch news sites, offering a banking trojan just around lunch time and now it appears that this specific Sinowal trojan is actually malfunctioning and possibly only effective in less than 0.5% of total 'infected' PC's.
     
  16. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    Yes, your are right Baserk.

    But:
    1.
    The two SmokeLoader Trojans were initially not detected by almost all AV's; that has now improved.
    2.
    Fox-IT only looked at corporate computers. How about the home computers?
    3.
    The end conclusion:
    They are not able to verify why this happened.
    4.
    Is the situation about detecting and cleaning of Sinowal/Mebroot that bad, generally speaking?
     
  17. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,317
    Location:
    AmstelodamUM
    Mark Loman explains best in his posts on Tweakers forum link (sorry folks, Dutch forum link)

    He explains that the way the rootkit copies a clean version of the MBR to a different sector and then 'presents' it during an AV scan, makes it difficult to detect the rootkit.
    Cleaning is more difficult because of it's own self protection, a reg key is added and watched over by a separate hidden thread/'watchdog'. Detection of such a new variant is one thing but cleaning another. HMP3 and Kaspersky TDSS Killer can do both.
    Mark Loman also refers to a Sinowal analysis from Prevx; PDF link
     
  18. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    The Fox-IT article is saying:
    I'm wondering whether the Eset standalone cleaner for Mebroot was tried and if so whether it was successful in cleaning.
    http://kb.eset.com/esetkb/index?page=content&id=SOLN2372
     
  19. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,032
    Location:
    Hengelo, The Netherlands
    Good question. The Mebroot cleaner is from 2010. I just tried it:
    Windows XP Home Edition EN-2012-03-19-20-15-35.png
    We are going to release the infected VMware session to AV partners so they can improve their products. We already delivered it to McAfee.
     
  20. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
  21. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,317
    Location:
    AmstelodamUM
    I'm not asking to divulge strategic company information but how is McAfee one of your AV partners?
    Simply as in one of the several/many AV companies you share samples with?
    Did they ask you or did you offer them the VMWare session? ;)
     
  22. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    Aha, at first I did read Erik's "We are going to release the infected VMware session to AV partners" in the way that it would be send to all AV vendors, but I see now that I might have misunderstood it (or not?).

    Erik,
    I too am not asking for your company's secrets. All I am asking is: please share samples or that infected VMware session with all the other AV vendors. Thanks.
     
  23. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,032
    Location:
    Hengelo, The Netherlands
    McAfee asked for the session.
     
  24. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,032
    Location:
    Hengelo, The Netherlands
    The samples wont unpack anymore. We share the session with every AV vendor who asks for it.

    Hope this helps.
     
  25. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    Hi Erik,

    Thanks for your reply.
    Pity that the samples wont unpack anymore, but I guess that's how the "nature" of this infection works.
    I do appreciate that you will share the VMware session with every AV vendor! That's what I wanted to hear; thanks.
    I don't know whether it is common policy that other AV vendors have to ask for it or that it will be shared without asking for it anyway.
    Neither can I tell of how much value the infected VMware session is for the analysts of the AV vendors.

    Thanks again.

    Regards,
    Jan
     
Loading...
Thread Status:
Not open for further replies.