Popular Site Speedtest.net Compromised by Exploit…Drive-By STOPPED by Invincea

Home/KIA/Popular Site Speedtest.net Compromised by Exploit…Drive-By STOPPED by Invincea
Popular Site Speedtest.net Compromised by Exploit...Drive-By Stopped by Invincea

 

Cisco recently reported that the highest concentration of online security threats are in fact legitimate destinations visited by mass audiences.  As if to underscore that point, we accidentally discovered an exploit on Speedtest.net, a site used by mass audiences to test their connection speed to the Internet. Now to be clear, Speedtest.net did not put this exploit up. Rather, speedtest.net is a victim of being exploited; but in turn their website was used to exploit countless others. As of this writing, Speedtest.net has rectified the issue, so they are safe to visit. 

In this blog Invincea security expert Eddie Mitchell dissects the attack against speedtest.net and shows the sophistication in how the attack uses polymorphism, uses standard encoding to evade detection of binaries it downloads, and was largely unknown to anti-virus vendors at the time of the analysis. The exploit highlights the dangers of browsing without protection even to legitimate sites.

We recently stumbled across an exploit of speedtest.net in doing what normal users do – visiting a legitimate site that provides a legitimate service.  In this case after being exploited, www.speedtest.net was being used to redirect user traffic to sites hosting malicious code.  In order to verify, we employed a Windows XP SP3 test machine protected by Invincea Enterprise and installed with IE8 and Java 7 Update 10.  Java 7 Update 11 is currently the latest and was released by Oracle in response to the previous Java 0-day vulnerability (CVE-2013-0422). 

As shown in the screenshot below, we launched IE8 protected by Invincea (note the green border) and manually entered www.speedtest.net into the URL bar:

 launched IE8 protected by Invincea and manually entered www.speedtest.net

The bandwidth speed test application that we’d normally expect to see is not loading due to the fact that I didn’t have the Adobe Flash plugin installed at the time of this analysis, but nevertheless a few seconds later we receive the following notification from Invincea:

 notification from Invincea:

In this case, I will allow the malware to run inside the virtual container Invincea runs IE8 in for a few moments before clicking the “Restore” button in order to purge the virtual environment and transmit forensic details to the Invincea’s Threat Data Server.

Once restoration is complete, we now pivot to the Invincea Threat Analyzer in order to better understand this attack.  Upon locating our infection entry, we can see that a total of 75 changes were made inside the virtual container.  We can also see that after visiting www.speedtest.net , the browser was redirected to a suspect URL:

 Invincea Threat Analyzer

Switching to the Timeline tab, we can see that Internet Explorer launched the Java plugin and shortly thereafter, Java was used to launch cmd.exe:

If we double-click on the highlighted cmd.exe process launch, we can see the exact command string executed:

We can see the cmd.exe is used to launch javaw.exe with some very suspicious arguments:

Next we see that several outbound HTTP connections were initiated by javaw.exe and shortly thereafter, two dll files were dropped to disk and regsvr32.exe was invoked to install them:

Upon further inspection, one of the dll files written to disk (acrobatreader.dll) was empty presumably corresponding to a bad download:

However, the other dll (iexplore.dll – md5: 4b75fbd80eef28fae5b25a8c527f611c) was downloaded and successfully written to disk.  The binary file was XOR encoded with key 0x6D during the download to evade network based security controls (note the lack of clear-text magic number/DOS Header):

If we view the download in Hex format, we can clearly see the key used to encode:

download in Hex format

Taking a step back for a moment, we’ll investigate the infection chain a bit more.  Looking at the main index page on www.speedtest.net, we notice the following Javascript that has been injected onto the page:

infection chain-Javascript that has been injected onto the page

Once decoded, we see that the JS generates random third-level domains based on the date/time of the system.  These are then prepended to several second level domains provided by DynDNS:

JS generates random third-level domains based on the date/time of the system

The malicious domains are:

*.dnsdojo[.]net
*.is-a-designer[.]com
*.is-a-hunter[.]com
*.is-a-musician[.]com
*.is-an-accountant[.]com

A request is then made for http://<domain>/finance and the following page is retrieved that serves two Java applets:

 following page is retrieved that serves two Java applets

  1. 1dbf0eba0897b21ed2a7ea27976d9bd9  jr2kw.gif (CVE-2013-0422) – Virustotal currently reports 2/46 detections

Contains the following Java class files:

  • 0eabcf5059774ef47392cc16d60f44cf  erVary.class – VT 0/46
  • c1fac450319e8d2e34f707bd9e84ddb1  fichusSwear.class – VT 0/46
  • f2e8219e255efd7fad7c903bc32949b2  pottleUpdoIgnore.class – VT 0/46
  • e1156e9c5a613e3a85948954d6335b73  vialFeelEddied.class – VT 0/46
  • 0756faf654e8b5eb24b01de1f9a98f32  woe.class – VT 0/46

 

2.  e0277bcb674ae3b41266df549a10c82c  wvv4r.gif (CVE-2012-1723) – Virustotal currently reports 2/46

Contains the following Java class files:

  • 8f407d1107a6e5fe8ef0b0831b96dacd  a.class – VT 0/45
  • a910c2be69a1e20a4117d5f3186dab4e  bluejayCay.class – VT 0/46
  • d29f687e9f4ee10c9abab785aaae6a88  flam.class – VT 0/46
  • cd56ca5c71b2f24ebb4f3a46c7dd0c51  orArsMinx.class – VT 0/46
  • f0785a467ded2dee1ffcbbc6d3637e2b  tuyersLang.class – VT 0/46
  • ae13843570124d23362c9606e0ec98c2  websChamberSquishy.class – VT 0/46

Upon successful exploitation of the Java plugin, the XOR’d binary previously shown is downloaded and installed on the system.   In addition to using XOR encoding for the download, the binary itself appears to be polymorphic as the md5sum changes for each download.  However, when comparing fuzzy hash values, it is clear that the binaries share the same codebase:

XOR’d binary previously shown is downloaded and installed on the system

The VirusTotal detection ratio on these dll files for all its Anti-virus participating vendors is shown below at the time of submission:

 VirusTotal detection ratio

In addition, we are able to confirm that this particular attack campaign leveraged the lesser-known “g01pack” exploit kit which is known to typically drive traffic to the landing page via malvertising which leads to a Fake AV variant.

Decoy administration page was also present as documented by Websense here:

http://community.websense.com/blogs/securitylabs/archive/2011/04/19/Mass-Injections-Leading-to-g01pack-Exploit-Kit.aspx

Decoy administration page

Some additional online research indicates that speedtest.net has been compromised several times in the past through vulnerabilities in the OpenX advertising plugin in order to inject malicious Javascript redirecting users to malware.

http://blog.armorize.com/2011/10/malvertising-lifecycle-case-study-openx.html

http://blog.zeltser.com/post/6247850496/malvertising-malicious-ad-campaigns

We can’t confirm at this time that this advertising plugin was used or exploited for this attack.

Conclusion

The exploit analysis shows that potentially a large number of users were exposed to a Java-based exploit temporarily hosted by speedtest.net. Indicators show the exploit implemented by injected Javascript and used the “g01pack” exploit kit likely compromised speedtest.net as part of a malvertising campaign. The exploit used a number of tactics and techniques to evade detection while exploiting the commonly vulnerable Java software plug-in. Speedtest.net is a popular site widely used to test network connection speeds. The exploit shows that legitimate sites pose risks to online users who browse without protection.

Take a look at what happened during this exploit in video form below:

 

 

Leave a Comment