The moment of infection, and the circumstances that lead to the introduction of malware to a system, are often not obvious. This short case study examines our observations and investigations into a particular example that illustrates a fairly typical method of compromise that is played out countless times each day all over the web.
A couple of days ago, our attention was drawn to a website that appeared to use the Microsoft brand. We received reports that a website with the word "Microsoft" in big friendly letters at the top of the page, may have been serving malware. We were worried that users may visit the site with confidence and trust its content because it carried our name. So, we took a closer look at this “Microsoft” website.
We can see it does use the title “MSPinoy - Microsoft Philippines Users Group”, and when you click on the Forums tab up top, it sends you directly to an actual Microsoft website. Everything goes well initially, but after less than a minute, the system becomes sluggish and Microsoft Security Essentials reports a possible malware infection.
So the question is: who is “MSPinoy”? After some searching, we found out that the website has existed since June 2008 and has a legitimate registration contact in the Philippines. Based on our research, we assume that this website is probably not malicious, but is a community users group which references some official Philippines Microsoft links for its users.
So, if the site is a real users group (if not Microsoft endorsed per se), then how are visitors getting infected? When we looked further into the webpage source a suspicious iframe emerges at the end of the page. This iframe, which referenced a different host (rvideos.info), soon redirected to another one. Upon being redirected the new webpage contained several malicious Java applets that tried to exploit vulnerabilities on the system and download other malware. When we visited, these exploits were detected as variants of Exploit:Java/CVE-2010-0840 (example file SHA1s observed 626D495992C77BE9E47A9F2A1ED573739F34636F and A67C7CC6BD6C516D865C8BB37134F457E0B89A3D) and Exploit:Java/CVE-2012-0507 (example SHA1 of file observed 374F8FDB2EB49D5C883785A6ED627BE6CF9BACC9).
We also then did an online search into rvideos.info:
Looks like the registrant is from Australia and belongs to an organization called Privacyprotect.org. The registration date is just a couple of days ago. We continued to monitor this website and found that the malicious iframe was refreshed every day with a different host (such as charming-cuties.com or hpicture.info) which was also registered to Privacyprotect.org.
So, it looks like the MSPinoy website we investigated had been compromised, and the hijack code is being refreshed daily, presumably from a C&C server.
So, our last question: Who is Privacyprotect.org? According to their website, Privacyprotect.org is a company that provides a privacy protection service for domain owners, so that their registration contact details are not generally available to the public. So the true identity behind these domains is still a mystery.
As stated, this short case study is a fairly typical illustration of how malware is distributed, and it teaches some valuable lessons about how to defend yourself:
- Use a complete AV solution (such as Microsoft Security Essentials)
- Update your AV daily. As this example shows, the bad guys update their code daily, so you need to as well.
- Get and install the latest updates for ALL of your computer programs. Be proactive - this is really important.
- Be vigilant. Bad guys will attempt to take advantage of your existing trusted relationships (such as the relationship you might have with a company like Microsoft).
- Be aware that these types of attack are prevalent and dangerous and that attackers will try to take advantage of you, your computer and your assets. Use caution online.