Drive-by example

The unnoticed download attack aka “drive-by downloads” was comment out on our blog in relation to his form of work. But it’s good to do a short approximation to see in more detail this kind of attacks working in our machines.

The current techniques for delivering malware can be divided in two categories:

1. Social engineering techniques: used by the attackers to convince the visitors to download and run malware. All us have seen pages with doubtful analysis techniques informing us that our machine is plenty of virus and we need urgently download a soft{mal}ware to clean our machine.

2. Browser vulnerabilities: It’s the most difficult method and transparent for us the users. This is the most common infection method as the graphic below shows. Take a look at “All your iFRAMEs point to us” to see more detail about this kind of attack and the underlying infrastructure.

The “Digital World, Digital Life” report show that we spent almost 30% of our leisure time browsing the web. Imagine a normal situation, we are browsing through our favourite news portal, click on some link to see the original source, now another one to see the comments and so on until we end with several visited webs. One of this websites we have visited recently left us a present MADE IN THE BAD GUYS.

The following is a small real example of what happened in our ‘controlled’ machine simply by visiting a website carrying a drive-by download attack and without human interaction, remarkably we only spent almost 30 seconds visiting the site and this succedded:

1. The iexplore.exe process created the binary C:WINDOWSTempsvhost32.exe
2. This binary modified various registry entries in order to:
Disable the cache: “HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerShell FoldersCache”
Disable cookies: “HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerShell FoldersCookies”
Disable history: “HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerShell FoldersHistory”
Enable the proxy browsing: “SetValueKey”,”HKLMSYSTEMControlSet001Hardware Profiles00SoftwareMicrosoftwindowsCurrentVersionInternet SettingsProxyEnable”
Configure the proxy: “HKCUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsProxyServer”
And create the file: “C:Documents and SettingsAdministratorLocal SettingsTemporary Internet FilesContent.IE5 1YMCNUWNhosts[1].txt”

After all the binary c:i1gb0a.exe was created and this file make the sdra64.exe binary with strange purposes.

All of this was created in our S.O without our permission and while we were completely unaware of the underlying system changes. The full analysis of the attack with the binary files and network connections done would take several hours of hard work out of the scope of this post.

The main purpose of this post is make people aware of the prevalence of this kind of attack specially to the two main targets affected; us the users and the website owners that support this attack without be aware of it.

As Elvira comment out in the “Drive-by downloads” post, not visiting content adult sites would not dismiss the probability of suffer this attack. Any website could store this attack. One of the advices that usually works it’s browsing the web with update software in order this websites couldn’t exploit a browser vulnerability or some of his plugins which are the main attack vector of this kind of attack.

Related to the website owners, take care of your site code specially of iFRAMEs labels, the logs and stats traffic are a good source to look for strange patterns before someone complaint to us because we’re collaborating spreading malware code, or potentially worse, tarnished our reputation.

Emilio Casbas
S21sec e-crime

Deja un comentario