Contributor: Karthikeyan Kasiviswanathan
Last week, it was reported that popular Web portal AskMen.com was compromised to redirect users to a malicious website that hosted the Nuclear Exploit Kit. Symantec has found during investigations that users were also redirected to the Rig Exploit Kit during this attack. Symantec has notified the owners of the AskMen.com site about this compromise.
The Rig Exploit Kit was discovered a few months ago and mainly exploits vulnerabilities in Internet Explorer, Java, Adobe Flash, and Silverlight. We decided to take a closer look at how the exploit kit was used in this attack to find out what damage it could do to users’ computers.
Rig Exploit Kit’s features
The domains generated have a pattern of eight hex digits (a CRC32 hash of the current date) followed by the .pw top-level domain (TLD) (.pw is the TLD for Palau, a Pacific island nation, for which Symantec has observed a rise in malicious usage). The domain is used to generate URLs requesting the file nbe.html along with a parameter.
Here are some examples of URLs created by the domain generator:
Figure 1. Domain name generator (DGA) algorithm
Once the domain name is registered, the code redirects users to that domain. A malicious iframe injected in this page redirects users to an exploit kit, such as the Nuclear Exploit Kit or the Rig Exploit Kit. In this case, we’ll look at the Rig Exploit Kit.
Figure 2. Decoded Base64 script with a link to the Rig Exploit Kit
When the user arrives on the landing page, the Rig Exploit Kit attempts to check if the user’s computer has a driver file associated with a particular antivirus software product. To avoid detection, the kit avoids dropping the exploits if the driver file “kl1.sys” is present.
The kit then looks for particular installed plugins and will attempt to exploit them accordingly. In the recent compromise, the Rig Exploit Kit took advantage of the following vulnerabilities:
- Microsoft Internet Explorer Use-After-Free Remote Code Execution Vulnerability (CVE-2013-2551)
- Microsoft Internet Explorer Use-After-Free Remote Code Execution Vulnerability (CVE-2014-0322)
- Adobe Flash Player Remote Code Execution Vulnerability (CVE-2014-0497)
- Microsoft Silverlight Double Deference Remote Code Execution Vulnerability (CVE-2013-0074)
- Oracle Java SE Memory Corruption Vulnerability (CVE-2013-2465)
- Oracle Java SE Remote Java Runtime Environment Code Execution Vulnerability (CVE-2012-0507)
If the kit managed to successfully exploit any of these vulnerabilities, then malware is downloaded onto the victim’s computer. We found that the Rig Exploit Kit dropped a range of different malware samples, including the Zeus banking Trojan (Trojan.Zbot) and the Cryptodefense ransomware (Trojan.Cryptodefense). In early June, the FBI announced that it took down a significant portion of the Gameover Zeus botnet. This latest incident shows that despite the takedown, attackers still see Zeus as an attractive payload to deliver in their campaigns.
Attackers often use the newest exploit kits, as they believe that security software may not yet detect the kits’ activities. However, Symantec provides comprehensive protection to help users defend themselves against the Rig Exploit Kit and the malware delivered in the recent website compromise.
- Web Attack: Exploit Toolkit Website 47
- Web Attack: Malicious Executable Download 2
- Web Attack: MSIE CVE-2013-2551 3
- Web Attack: Rig Exploit Kit Website 5
- Web Attack: Rig Exploit Kit Website 9
- Web Attack: Rig Exploit Kit Website 4
- Web Attack: Rig Exploit Kit Website 21
- System Infected: Trojan.Cryptodefense Activity