Video Screencast Help
Security Response

Rig Exploit Kit Used in Recent Website Compromise

Created: 02 Jul 2014 08:46:25 GMT • Updated: 18 Jul 2014 10:46:58 GMT
Ankit Singh's picture
+5 5 Votes
Login to vote

Contributor: Karthikeyan Kasiviswanathan

Last week, it was reported that popular Web portal AskMen.com was compromised to redirect users to a malicious website that hosted the Nuclear Exploit Kit. Symantec has found during investigations that users were also redirected to the Rig Exploit Kit during this attack. Symantec has notified the owners of  the AskMen.com site about this compromise.

The Rig Exploit Kit was discovered a few months ago and mainly exploits vulnerabilities in Internet Explorer, Java, Adobe Flash, and Silverlight. We decided to take a closer look at how the exploit kit was used in this attack to find out what damage it could do to users’ computers.

Rig Exploit Kit’s features
To set up the attack, the attackers injected malicious JavaScript into the website. This JavaScript generates random domain names based on the current date, which are used for contacting websites under the attacker’s control. 

The domains generated have a pattern of eight hex digits (a CRC32 hash of the current date) followed by the .pw top-level domain (TLD) (.pw is the TLD for Palau, a Pacific island nation, for which Symantec has observed a rise in malicious usage). The domain is used to generate URLs requesting the file nbe.html along with a parameter. 

Here are some examples of URLs created by the domain generator:

  • 2799ef77.pw/nbe.html?0.18841914809308946
  • 2799ef77.pw/nbe.html?0.8457876814063638
  • C9978e5b.pw/nbe.html?0.3666891625575156
  • C9978e5b.pw/nbe.html?0.7409235395336815

figure1.PNG
Figure 1. Domain name generator (DGA) algorithm

Once the domain name is registered, the code redirects users to that domain. A malicious iframe injected in this page redirects users to an exploit kit, such as the Nuclear Exploit Kit or the Rig Exploit Kit. In this case, we’ll look at the Rig Exploit Kit.

figure2.PNG
Figure 2. Decoded Base64 script with a link to the Rig Exploit Kit

When the user arrives on the landing page, the Rig Exploit Kit attempts to check if the user’s computer has a driver file associated with a particular antivirus software product. To avoid detection, the kit avoids dropping the exploits if the driver file “kl1.sys” is present.

The kit then looks for particular installed plugins and will attempt to exploit them accordingly. In the recent compromise, the Rig Exploit Kit took advantage of the following vulnerabilities:

If the kit managed to successfully exploit any of these vulnerabilities, then malware is downloaded onto the victim’s computer. We found that the Rig Exploit Kit dropped a range of different malware samples, including the Zeus banking Trojan (Trojan.Zbot) and the Cryptodefense ransomware (Trojan.Cryptodefense). In early June, the FBI announced that it took down a significant portion of the Gameover Zeus botnet. This latest incident shows that despite the takedown, attackers still see Zeus as an attractive payload to deliver in their campaigns.

Symantec protection
Attackers often use the newest exploit kits, as they believe that security software may not yet detect the kits’ activities. However, Symantec provides comprehensive protection to help users defend themselves against the Rig Exploit Kit and the malware delivered in the recent website compromise.

Antivirus

IPS