We have been pretty busy with a lot of new exciting technology that we are introducing next month, so our blog did not get as much attention as it should. But yesterday, an interesting malvertising campaign on Yahoo drew my attention.
Fox-IT already wrote a great blog entry mainly about the network details of the attack. But since there is also a lot to tell about the malware I decided to spend my Sunday to do some digging in our databases and write some details about it.
Lennart Haagsma (@lennarthaagsma) and Maarten van Dantzig (@MaartenVDantzig) from Fox-IT’s Security Operations Center were the guys that sent out the first tweet about this on January 3rd, 2014: the ads.yahoo.com host, associated with advertisements and tracking, was infecting visitors of Yahoo Mail.
Our own telemetry and research confirmed this and I immediately started to send out additional information on Twitter and share some malware details with the security community.
Below a screenshot of Fiddler showing the recorded drive-by infection, proofing that Yahoo was indeed infecting its visitors through a malicious iframe:
We also shared some initial information with the Dutch National Cyber Security Center (NCSC) so they could combine it with data from Fox-IT.
The NCSC sent out a warning message to contacts at key infrastructure and important computer networks in The Netherlands, so technicians could add firewall rules to block the attack. This, because the malware used in the attack were slipping passed security defenses, which we can confirm thanks our HitmanPro agents on millions of computers in the world. Our software has detected Yahoo-related malware on computers protected by up-to-date antivirus software.
Note: Microsoft Enhanced Mitigation Experience Toolkit (EMET) offers no protection against these attack as EMET does not protect against Java-based exploit attacks.
If you are unfamiliar with our HitmanPro software: it is a small anti-malware tool that functions as a second-opinion for your antivirus software to reveal undetected threats.
HitmanPro works on-demand and is purpose-built to be compatible with other antivirus programs. Its behavior and forensic analysis are designed to pick up threats without requiring prior knowledge of malware attacks, commonly called virus signatures.
Here an example of how HitmanPro gives you insight on how the attack happened, even days after the incident:
About the Malware
Thanks to the telemetry coming from HitmanPro we are able to compile a list of threats that were used in the attack staged from Yahoo’s own servers.
Our systems detected the first threats associated with this malware campaign on Monday December 30th, 2013 (now 6 days ago). This means that a lot more users are infected than initially thought (4 days x 24 hours x 27,000 infections = 2.5 million infected computers).
The attackers made good use of Yahoo’s reputation and installed many different malware, which leads us to believe there are more interested criminals involved (a so-called Pay-Per-Install operation). An excerpt with some background information:
Click fraud malware
The creator of this file used a neat Star Wars icon:
Once executed by the exploit kit, this malware installs itself in the C:\Windows\Fonts folder. The Fonts folder is a special folder and shows only fonts in Windows Explorer. The malware executable doesn’t come up in the contents list so the user is not able to access it manually. The publisher of the malware executable was also set to Symantec Corporation DB in an attempt to fool users who were somehow able to to access it.
This malware program is causing click fraud and causes high CPU usage. It runs multiple hidden web browser processes to open web pages with ads belonging to the affiliate ID of the criminal. The program is started each hour through the Windows Task Scheduler:
The malware author of this file decided to use an ICQ icon, abused the name of a legitimate registry tool and accidentally gave a clue to where the file could’ve originated from:
The purpose of this malware downloads additional malware and enables backdoor access and control of your computer. It also capable of disabling antivirus software and injects itself in other system processes. It typically installs itself in C:\Windows\Installer\<random GUID>\
This malware can steal usernames and passwords, block websites, and launch a denial of service (DoS) attack. The malware is also often used to haul in additional malware.
The most interesting feature of this malware, I think, is that it creates a so-called hollow process to conceal its presence. In this case it spawns and abuses a legitimate Windows Calculator process (calc.exe) and does an in-memory replacement of the original contents with the malicious code. For the operating system and the user it looks like the original calc.exe is running, while in fact the calc.exe process has been transformed into Dorkbot. This Windows Calculator process now has unusual capabilities, like HTTP and DNS interception:
This particular malware employs NTFS encryption in an attempt to stay hidden from low level virus scans. A low level scan, like HitmanPro’s Direct Disk Access method, does not use the higher level Windows API’s to scan the disk for malware, because, usually, the higher level Windows API’s are manipulated by malware to evade detection.
For interested security researchers, I’ve compiled an incomplete SHA-256 list of malware associated with the Yahoo malvertising campaign:
Exploiting Java vulnerabilities
Normally, software cannot be installed on a computer without the owner’s consent. If someone would like to silently install software on your computer they would need to find and abuse a vulnerability on your computer – remember Stuxnet, which similarly abused a software vulnerability to hit Iran nuclear plant staff computers.
But practically, every computer has vulnerabilities, even yours. And for online criminals to be effective, they target multiple vulnerabilities to maximize their campaign.
The Magnitude exploit kit makes this possible, which is a favored tool since the arrest of Paunch (the creator the notorious Blackhole exploit kit).
Yahoo’s servers were used as staging area, redirecting visitors to an attack page with the Magnitude exploit kit. The exploit kit was configured to exploit vulnerabilities in Java Runtime to infect Yahoo’s users with malware.
Java is the #1 target since millions of computers still run outdated vulnerable versions of it, caused by the lack of a silent automatic update feature in Java. Also, many people and companies are unable to upgrade to the latest version of Java because they rely on custom software that will no longer work once Java is updated.
So these users rely on antivirus software to keep their computers safe. But since attackers tailor and continuously update their malware they effectively go undetected by many antivirus software.
We’ve seen at least these Java exploits used in the Yahoo malvertising campaign:
We found CVE-2012-0507 to be associated with this campaign on infected computers, confirming the fact that many computers have outdated Java software.
A whois query regarding the IP addresses associated with the attack domains gives us some idea on where the attackers might come from:
inetnum: 126.96.36.199 - 188.8.131.52 descr: FOP Zemlyaniy Dmitro Leonidovich country: NL organisation: ORG-FZDL2-RIPE org-name: FOP Zemlyaniy Dmitro Leonidovich org-type: LIR address: FOP Zemlyaniy Dmitro Leonidovich address: Zemlyaniy Dmitro address: Onore de Balzaka str. 86, app.29 address: 02232 address: Kyiv address: UKRAINE
I saw CNET reporting that users had to click on an malicious ad to get infected, but this is not true. Below, side by side, an uninfected Yahoo advertisement and the infected one. Victims did not click on the ads to get infected and also explains the high infection numbers from the Fox-IT research.
Scan your computer
Not every ad on the Yahoo advertisement network contained the malicious iframe, but if you have an outdated version of Java Runtime (you can check here) and you used Yahoo Mail the last 6 days, your computer is likely infected.
In addition, we also received reports that the malware was spreading through ads in Yahoo Messenger as well. So if you used Yahoo’s services lately, it’s a good idea to scan your computer for malware.
Our HitmanPro software has already helped many Yahoo visitors in these countries: Australia, Germany, Spain, France, Greece, Hungary, Ireland, Israel, Italy, Croatia, The Netherlands, Poland, The United Kingdom and The United States. In most of those scans our HitmanPro anti-malware software also found other malware unrelated to the Yahoo incident, which means it is always a good idea to regularly perform a second opinion scan with a tool from a different security vendor.
You can download HitmanPro here: http://get.hitmanpro.com
HitmanPro Supports 32-bit and 64-bit versions of Windows 8.1, Windows 8, Windows 7, Windows Vista, Windows XP and Windows Server.