On the 2013-01-28 Nathan Fowler warned about a drive-by on eHow.net and Livestrong.com.
It was serving a payload triggering TDLv4+ traffic signatures (its check-in over SSL) connected to those reports from a 2012 campaign :
https://lists.emergingthreats.net/pipermail/emerging-sigs/2012-September/020497.html
https://lists.emergingthreats.net/pipermail/emerging-sigs/2012-September/020496.html
https://lists.emergingthreats.net/pipermail/emerging-sigs/2012-September/020504.html
https://lists.emergingthreats.net/pipermail/emerging-sigs/2012-September/020431.html
Note : in the 020431, the Exploit Kit is GrandSoft.
95.211.169.162
16265 | 95.211.0.0/16 | LEASEWEB | NL | LEASEWEB.COM | LEASEWEB B.V.
https://wqgc.alphaeffects\.net
 |
| pDNS on the host (perfectly match pattern in the alert 020496) |
 |
| Iframe at end of a livestrong Page 2014-01-28 |
 |
| Same iframe on eHow 2014-01-28 |
 |
| Successful pass in the Exploit Kit that got fed by eHow and Livestrong. WinXP Flash 10.3.183.20 - IE 8 2014-01-28 |
13768 | 69.172.228.0/22 | PEER1 | US | IX.IO | DAIGER SYDES GUSTAFSON LLC
Other version of flash would get an empty reply at the third call :
 |
| Server side decides not to serve the exploit to flash 11.7.x.x |
CVE-2012-0779 & CVE-2012-1535 as candidates...or something newer with server side block to avoid making too much noise.
I asked for help and Timo Hirvonen from F-Secure figure out it was CVE-2013-5330.
That one was patched the 2013-11-12 with the CVE-2013-5329 which appeared recently in Angler EK
So we have something like :
 |
| CVE-2013-5330 path in Flash Only EK 2014-01-28 |
200 OK (text/html)
GET http://asmmedia .net/swfobject.js
200 OK (application/javascript)
GET http://asmmedia .net/1fd67f39/11/2/
200 OK (text/html)
 |
| Call for the xml |
GET http://asmmedia .net/engine/68d14faf.xml
200 OK (text/html)
 |
| Call for the Exploit |
GET http://asmmedia .net/f6b5da0c.swf
200 OK (text/html) 61670074963d99b0f72a16e434e12dde
 |
| Potected by secureSWF |
 |
| Flash file in FFdec |
A downloader : Miep (MS and Eset32)
85b66824a7f2787e87079903f0adebdf
e9da19440fca6f0747bdee8c7985917f
-----
This campaign raises some questions :
- It's blinking. Didn't check long enough to have some patterns but in 24 hours it was up only 6-7 hours.
- They only go Flash...Weird. Seeing the high rank website used for traff, difficult to think it can be a "working area" for a coder.
- They do not attack as widely as they could (if it's indeed a fully working CVE-2013-5330) they could serve up to 11.9.900.117 which is only few months old.
or the main goal is : staying below the radar...If so : Goal achieved. It would be still active if the payload was as stealth as the EK itself. From feedback I got there is more than 60 referers. For instance eHow (Alexa 116 US/292 world) was redirecting since at least 2013-12-09 and this exploit kit is active since beginning of November...(don't know if it was already CVE-2013-5330 at that time...if so then it was an unpatched vuln! ).
Am also wondering how they compromised those websites...and seing BBC as referer....hard not to think about Solaris exploit or the "ProFTPD 1.3.3g Server Remote Root Exploit (ftp.bbc.co.uk)"
Maybe unrelated....
-----
It would be nice to have some telemetry on Asmmedia .net/*.swf/js calls. Anyone ? :)
Based on some data found on the C&C, owner of the payload are dealing with "decent" numbers
 |
| Installs Stats found on the C&C. 11/10/2012 --> 23982 Would say 2nd Stage installs or something else but not Miep cause numbers can't match for January. |
(If you happen to work on this, I'm always happy to learn more).
Thanks a lot : Nathan Fowler, Timo Hirvonen (F-Secure), Chris Wakelin and Will Metcalf (Emerging Threats) for their help