Cisco recently reported that the highest concentration of online security threats are in fact legitimate destinations visited by mass audiences. As if to underscore that point, we accidentally discovered an exploit on Speedtest.net, a site used by mass audiences to test their connection speed to the Internet. Now to be clear, Speedtest.net did not put this exploit up. Rather, speedtest.net is a victim of being exploited; but in turn their website was used to exploit countless others. As of this writing, Speedtest.net has rectified the issue, so they are safe to visit.
In this blog Invincea security expert Eddie Mitchell dissects the attack against speedtest.net and shows the sophistication in how the attack uses polymorphism, uses standard encoding to evade detection of binaries it downloads, and was largely unknown to anti-virus vendors at the time of the analysis. The exploit highlights the dangers of browsing without protection even to legitimate sites.
We recently stumbled across an exploit of speedtest.net in doing what normal users do – visiting a legitimate site that provides a legitimate service. In this case after being exploited, www.speedtest.net was being used to redirect user traffic to sites hosting malicious code. In order to verify, we employed a Windows XP SP3 test machine protected by Invincea Enterprise and installed with IE8 and Java 7 Update 10. Java 7 Update 11 is currently the latest and was released by Oracle in response to the previous Java 0-day vulnerability (CVE-2013-0422).
As shown in the screenshot below, we launched IE8 protected by Invincea (note the green border) and manually entered www.speedtest.net into the URL bar:
The bandwidth speed test application that we’d normally expect to see is not loading due to the fact that I didn’t have the Adobe Flash plugin installed at the time of this analysis, but nevertheless a few seconds later we receive the following notification from Invincea:
In this case, I will allow the malware to run inside the virtual container Invincea runs IE8 in for a few moments before clicking the “Restore” button in order to purge the virtual environment and transmit forensic details to the Invincea’s Threat Data Server.
Once restoration is complete, we now pivot to the Invincea Threat Analyzer in order to better understand this attack. Upon locating our infection entry, we can see that a total of 75 changes were made inside the virtual container. We can also see that after visiting www.speedtest.net , the browser was redirected to a suspect URL:
Switching to the Timeline tab, we can see that Internet Explorer launched the Java plugin and shortly thereafter, Java was used to launch cmd.exe:
If we double-click on the highlighted cmd.exe process launch, we can see the exact command string executed:
We can see the cmd.exe is used to launch javaw.exe with some very suspicious arguments:
Next we see that several outbound HTTP connections were initiated by javaw.exe and shortly thereafter, two dll files were dropped to disk and regsvr32.exe was invoked to install them:
Upon further inspection, one of the dll files written to disk (acrobatreader.dll) was empty presumably corresponding to a bad download:
However, the other dll (iexplore.dll – md5: 4b75fbd80eef28fae5b25a8c527f611c) was downloaded and successfully written to disk. The binary file was XOR encoded with key 0x6D during the download to evade network based security controls (note the lack of clear-text magic number/DOS Header):
If we view the download in Hex format, we can clearly see the key used to encode:
Once decoded, we see that the JS generates random third-level domains based on the date/time of the system. These are then prepended to several second level domains provided by DynDNS:
The malicious domains are:
- 1dbf0eba0897b21ed2a7ea27976d9bd9 jr2kw.gif (CVE-2013-0422) – Virustotal currently reports 2/46 detections
Contains the following Java class files:
- 0eabcf5059774ef47392cc16d60f44cf erVary.class – VT 0/46
- c1fac450319e8d2e34f707bd9e84ddb1 fichusSwear.class – VT 0/46
- f2e8219e255efd7fad7c903bc32949b2 pottleUpdoIgnore.class – VT 0/46
- e1156e9c5a613e3a85948954d6335b73 vialFeelEddied.class – VT 0/46
- 0756faf654e8b5eb24b01de1f9a98f32 woe.class – VT 0/46
2. e0277bcb674ae3b41266df549a10c82c wvv4r.gif (CVE-2012-1723) – Virustotal currently reports 2/46
Contains the following Java class files:
- 8f407d1107a6e5fe8ef0b0831b96dacd a.class – VT 0/45
- a910c2be69a1e20a4117d5f3186dab4e bluejayCay.class – VT 0/46
- d29f687e9f4ee10c9abab785aaae6a88 flam.class – VT 0/46
- cd56ca5c71b2f24ebb4f3a46c7dd0c51 orArsMinx.class – VT 0/46
- f0785a467ded2dee1ffcbbc6d3637e2b tuyersLang.class – VT 0/46
- ae13843570124d23362c9606e0ec98c2 websChamberSquishy.class – VT 0/46
Upon successful exploitation of the Java plugin, the XOR’d binary previously shown is downloaded and installed on the system. In addition to using XOR encoding for the download, the binary itself appears to be polymorphic as the md5sum changes for each download. However, when comparing fuzzy hash values, it is clear that the binaries share the same codebase:
The VirusTotal detection ratio on these dll files for all its Anti-virus participating vendors is shown below at the time of submission:
In addition, we are able to confirm that this particular attack campaign leveraged the lesser-known “g01pack” exploit kit which is known to typically drive traffic to the landing page via malvertising which leads to a Fake AV variant.
Decoy administration page was also present as documented by Websense here:
We can’t confirm at this time that this advertising plugin was used or exploited for this attack.
Take a look at what happened during this exploit in video form below: