Alex Eckelberry and the rest of our friends over at Sunbelt Software have uncovered the latest apparent victim of the MPack toolkit that I have been blogging about the past few weeks. This time, the compromised web site appears to belong to a bank: specifically, the Bank of India.
Sunbelt confirms that the compromised site was, at a minimum, serving up 31 different pieces of malware to the bank's customers (see full list below), via an embedded IFRAME hidden in the bank's landing page.
The Bank of India has confirmed the attack and its US web site is currently displaying an "under maintenance" sign. Sunbelt Software is reporting the attack began last Wednesday evening, but the bank says it is unaware of how long the web site was compromised.
This, and other similarities to attacks on hosting companies in Italy and elsewhere, including the US, point to the Russian Business Network, a criminal group responsible for creating MPack - a PHP-based malware-distribution system that can be designed to look like a legitimate web site administration tool.
Dancho Danchev is reporting that the attackers may have combined MPack with an exploit kit called n404. His analysis of the problem is worth reading and shows that the Fast Flux domain service, javascript obfuscation and multiple IFRAMEs may have been involved - here's an extract:
"At the bank's URL there's a link pointing out to goodtraff.biz (58.65.239.66) where an IFRAME loads to 81.95.144.148/in.cgi?10 whereas while accessing it we get response from 81.95.144.146, where we get the usual javascript obfuscation leading us to 81.95.144.146/at/index.php and 81.95.144.146/rut/index.php."
"Furthermore, the second IFRAME leads us to x-traffic.biz/ts/in.cgi?user0224 (which is a Russian Adult Traffic network) redirecting us to mymoonsite.net/check/version.php?t=167 (81.95.148.13) and a third one loading goodtraff.biz/tds/index.php (empty)."
"What does it mean? It means the Russian Business Network has not just managed to inject its presence on Bank of India's site, but is also using multiple-iframing as an attack vector, thus creating a fast-flux network with multiple campaigns..."
What is an IFRAME? Think of an IFRAME as a transparent "window" inside a web page that can be used to "frame" another web page located either on the same server, or on an entirely different server - in this case, a web page from a server in Russia containing 31 pieces of malware.
How invisible is an IFRAME? The answer is: totally invisible. Creating a transparent IFRAME is beyond easy for even a novice - hackers just need to set the IFRAME parameters such as "height" or "frameborder" to "0" and "background-color=transparent", etc, and customers are never going to see it.
How bad is the malware the bank's hacker web page served up? Really bad. Sunbelt and Panda report that "Pinch", a particularly nasty Trojan designed to steal personal information, was one of the pieces of malware served up to users. Here's the list that Alex posted up yesterday:
Email-Worm.Win32.Agent.l
Rootkit.Win32.Agent.dw
Rootkit.Win32.Agent.ey
Trojan-Downloader.Win32.Agent.cnh
Trojan-Downloader.Win32.Small.ddy
Trojan-Proxy.Win32.Agent.nu
Trojan-Proxy.Win32.Wopla.ag
Trojan.Win32.Agent.awz
Trojan-Proxy.Win32.Xorpix.Fam
Trojan-Downloader.Win32.Agent.ceo
Trojan-Downloader.Win32.Tibs.mt
Trojan-Downloader.Win32.Agent.boy
Trojan-Proxy.Win32.Wopla.ah
Trojan-Proxy.Win32.Wopla.ag
Rootkit.Win32.Agent.ea
Trojan.Pandex
Goldun.Fam
Backdoor.Rustock
Trojan.SpamThru
Trojan.Win32.Agent.alt
Trojan.Srizbi
Trojan.Win32.Agent.awz
Email-Worm.Win32.Agent.q
Trojan-Proxy.Win32.Agent.RRbot
Trojan-Proxy.Win32.Cimuz.G
TSPY_AGENT.AAVG (Trend Micro)
Trojan.Netview
Q. If IFRAMEs can be used to do bad things, then why don't security companies just look for web pages that contain an IFRAME and filter them out?
A. IFRAMEs are a good technology. They are used by millions of legitimate sites. Example: The world's most-trafficked web site - Google - uses IFRAMEs within the popups launched from its homepage. IFRAMEs can be extremely useful in the context of a well-managed, well-designed web site.
Q. How is it possible to infect thousands of web sites at once?
A. Here's a step-wise example of how hosted web sites get affected (my thanks to Robert and Eric and the rest of the Virus Lab team for their presentation on this last week):
Step 1. An over-worked web site administrator with zero budget goes looking for an easy-to-use free admin tool that will help him administer the growing number of web pages and/or sites he is managing/hosting.
Step 2. Searching online, the admin finds, either via Google Ads (yes, hackers buy AdWords too) or a web page, a terrific, full-featured tool that looks professionally-designed.
Step 3. The admin downloads the tool and installs it on his Apache web server, placing it inline with the web pages of his customers.
Step 4. Without the knowledge of the administrator, the toolkit begins surreptitiously inserting an IFRAME into every web page located on that server.
Step 5. An end user surfs to the web site of a trusted brand using a PC that has not be recently patched. Unfortunately, the landing page of the site now contains an IFRAME that points to an entirely different web server, and as the page loads, the invisible IFRAME, and the associated malware, loads with it.
Step 6. The user, his unpatched PC now 100% "owned", pours another cup of coffee, totally unaware that his personal data is now being migrated from his PC to a database in Russia.
Hosting companies in Italy - and their customers - have been hardest-hit by this fake admin tool approach, because the tool includes some rather clever "features".
For example, let's say a web site manager downloads and uses the MPack tool, then later discovers an IFRAME in the web page it was supposed to be administering - and removes it. The tool is smart enough to recognize this has happened and will surreptitiously replace the removed IFRAME without the administrator knowing.
The disturbing thing about all this is the likelihood that thousands of web site administrators will not read any of these posts, and continue to download MPack-based fake administration tools,
and infect tens of thousands more sites - including online banking and commerce sites.
What can you do to stop this happening? Authentium says:
1. Don't use free web site administration tools from unknown companies
2. Don't use web site hosting companies that use free tools - ask them for an audited list of what they are using, and ask them to include *all* software that touches your web site
3. Maintain up-to-date anti-malware software on *all* of your servers
4. Keep an eye on your web pages and especially on your (hopefully legitimate) IFRAMEs