Two months ago we released HitmanPro.Alert version 3 at the RSA Conference in San Francisco.
This major new version comes with protection against crypto-ransomware and exploits.
In these two months various companies started using HitmanPro.Alert version 3 to protect exploit-susceptible applications and critical documents against malware and zero-day attacks.
We’ve seen exploits being served through advertisements on these sites:
telegraaf.nl volkskrant.nl trouw.nl parool.nl dumpert.nl theguardian.com huffingtonpost.com lemonde.fr elle.com
HitmanPro.Alert 3 has been very successful stopping hundreds of attacks from these sites. Blocking the exploit, preventing malware from entering the PC:
Contrary to antivirus technologies, the exploit mitigation technologies in HitmanPro.Alert require no updates, signatures or prior knowledge of exploit attacks or its payload to defend against it. Internet users do not need to seek refuge in ad blockers as HitmanPro.Alert allows safe use of the web without affecting ad revenue of site owners, publishers and journalists, especially when visitor/victim machines need to (or unknowingly) run outdated or vulnerable software.
Below an excerpt of the technical details of the blocked attacks which shows that many of the attacks originate from Adobe Flash Player:
Mitigation StackPivot Platform 6.1.7601/x86 06_2a PID 5272 Application C:\Program Files\Internet Explorer\iexplore.exe Description Internet Explorer 10 Callee Type AllocateVirtualMemory 0x2506C000 (32768 bytes) Stack Trace # Address Module Location -- -------- ------------------------ ---------------------------------------- 1 753A7A1B KernelBase.dll VirtualAllocEx +0x33 2 753A7A47 KernelBase.dll VirtualAlloc +0x18 3 54DF7C6F Flash32_17_0_0_169.ocx IAEModule_IAEKernel_UnloadModule f7d8 NEG EAX 1bc0 SBB EAX, EAX f7d8 NEG EAX c3 RET Process Trace 1 C:\Program Files\Internet Explorer\iexplore.exe  "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3648 CREDAT:209921 /prefetch:2 2 C:\Program Files\Internet Explorer\iexplore.exe  3 C:\Windows\explorer.exe  4 C:\Windows\System32\userinit.exe 
Our telemetry shows that this specific attack took place between 2015-06-11 17:00 (CET) and 2015-06-15 16:30 (CET). Strikingly, the domain mistresseve.com seems to play a significant role in this attack.
Zooming in on this domain, we logged the following hostnames, which is an indication that the attackers have direct access to the DNS of this domain to create additional hosts:
The hostname pyhnen.mistresseve.com is also mentioned on the Malware Traffic Analysis website, who recorded an attack (.pcap and .zip with malware provided). The attack was carried out by the Angler Exploit Kit (as also confirmed by Fox-IT) and delivered the Bedep trojan through a vulnerability in Adobe Flash Player.
Angler Exploit Kit
The Angler Exploit Kit itself abuses CVE-2013-7331, a vulnerability in Internet Explorer 6 through 11 to determine if the attack takes place inside a research environment, or in the presence of specific security software. If e.g. VMware or VirtualBox is detected, the exploit is not triggered in an attempt to stay under the radar of defenders:
An overview of the domains associated with this particular exploit kit deployment:
aeroballistic.commech.com cannonries-anumdecimal.mistresseve.com castrado.bachelorpartiescyprus.com chinaspring.cherokeealternativeenergy.com colopexy.ingramelectriccompany.com decussation.spankinglinks.org droomgezichtenvergoettertem.deshotelsonline.com gehamsterde-lampetia.dicksoncompany.com halowych.cherokeealternativeenergy.com intraprocess.mypugetsoundhomevalues.com irrst-1marcelli.humiliatedlosers.com klonensahasrabudhe.mistresseve.com knitzopsonogepoang.restaurantdna.com krammetjefantasieartikelen.deshotelsboudin.com montiatekbibslaten.pearlafterpearl.com naskok-readvance.misstiffany.com objawiac-deifie.spankinglinks.org obquestionpendant0.cherokeealternativeenergy.com pasteurizers-slagersbijl.puyalluprambler.info prophesy-barnesko.rjbremedialschool.com prost.mistresseve.com pyhnen.mistresseve.com reboucheraissretrauq.cameohull.com singleheartedness.spankinglinks.org suierveer.mistresseve.com thaumatologiewelterschuetternden.misstiffany.com unicamerally-soltex.spankinglinks.org vankimr-huutomerkkisarjan.rjbremedialschool.com varkmasels.guicomachineworks.com vaxii.findhomeinlasvegas.com versjacherderemobili.apartmentassociationwesternkentucky.org wreckers-ungerechtfertigteren.harveyspecialtyandsupply.com xbox.tlitemotherjake.xyz
This Bedep trojan horse is delivered in-memory. This means that it infects the computer without writing any files to the disk for most antivirus software to find, scan or block. Researcher Kafeine wrote about the file-less Bedep infection on his website Malware Don’t Need Coffee in August last year.
Also, this trojan typically hoists-in additional malware to perform e.g. click-fraud, hurting advertising businesses. So, advertisers are not only put in a bad light because the ad platform is abused to infect thousands of internet users, they also loose money from the fraudulent ad clicks (the advertisers unknowingly pay the attackers).
But, as pointed out by Kafeine, the Angler Exploit Kit can serve each individual victim different malware.
You can read more about our HitmanPro.Alert software on this page:
To protect your computers against crypto-ransomware or exploits, download HitmanPro.Alert version 3 from here:
http://dl.surfright.nl/hmpalert3.exe (4 MB).