Another Clever Drive-By

This is yet another drive-by that was challenging to find. It delivered payloads from two different exploit packs making it very cruel too. Here's the landing page. I kept visiting this page, scrolling up and down, and nothing happened but I knew something was here based on an alert from another user's visit. I figured it must be a malicious ad that gets rotated so I moved on to something else.

A couple hours later, I figure I would try again and get lucky. Still nothing! But this time I thought I would check out the ads. As I scrolled down, about half way down the page an ad slid out from the right side. My PC then got infected.

The iframed ad shows a redirect script up at the top. If you visit the webpage without going through a search engine first, this part won't appear.

This script shifts the block of random text by one ASCII character then renders it with a document.write. I can use Converter to show me what this obfuscated text looks like:

This is the landing page of Fiesta EK (aka Stamp EK, SofosFO). Hat tip to Fox-IT.

I thought I was all done here but I looked through the rest of the HTML source and this Javascript section looked really suspicious.

Since I burned through so much time on this already, I just pasted that section in Revelo and clicked on "Execute" to safely see what it would do.

I curl'd the link and got this file. Nothing. Looks like I have to spoof the referer.

Tried again and got this. This file appears to contain a Javascript variable.

I pasted this into Revelo up at the top above the previous script and hit "Execute":

So what does this script do? It converts the variable from the second site into a URL then appends it to the body. You can whip up a simple script with the following to see how the URL gets made:

It gets rid of any character from G to Z (upper and lower case) and converts all of the special characters to "%" then unescapes what's left. This, as you know, is the landing page of Blackhole.

The website was notified and time was given to clean it up before this post but the site still appears to be affected. It seems webmasters are having some difficulty finding and removing these types of infections lately.

Update

I was asked to comment why this drive-by isn't picked up by online website scanners.

Majority of the time, these scanners work great and can detect suspicious content easily and accurately. In this case, however, the infected content is located in an iframe that only appears when the user scrolls down the page past the end of the article. This is atypical and the attacker probably took advantage of how the ad was normally presented on this website.

Posted on: 02/23/2013