The new Attack – d0lphin.biz

We recently came across a number of websites that have been injected with malscript iframes that load malware from d0lphin.biz. Following is our report on this attack.
 
Cybercriminals appear to be using their network of infected PCs to modify “hacked” websites and turning them into infectious websites – attempting to infect many more PCs.
  
This attack appears to only infect index pages; index.htm, index.html, index.php. That’s all we’ve seen thus far.
 

The malicious code that gets injected into these webpages is the following:

body of injected script

Which deobfuscates to:

deobfuscatedscript

The usual iframe malscript parameters: width=1, height=1 style=’visibility:hidden’
 

 What was interesting is that we had to use a valid browser user agent to obtain the in.php file. We used: Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 6.0) as our user-agent string. Other similar user-agents worked as well, but they had to be MSIE and Windows compatible so we knew it had to be a Microsoft specific exploit they (the hackers) were attempting on unsuspecting visitors.

You’ll see from the above iframe that the file it references is in.php. Here is the code for in.php:

 

in.php malscript (click to enlarge)

 

Which deobfuscates to:  

in.php deobfuscated

As you can see, there are 2 other files that this malscript tries to load:

load.php (which is actually a Windows executable)

and

pdf.php (which is an actual PDF file that uses ActionScript to try and infect the visitor’s PC).

 

At the time of our investigation, the malware load.php was only detectable by 2 out of 41 anti-virus companies. Here is the VirusTotal report on that little gem:

load.php VirusTotal Results

 

 

And pdf.php was detectable by 11 out of 41 anti-virus programs. Here is the Virus Total report on that file:

pdf.php VirusTotal Results

 

Inspecting the FTP log files for the infected website we found that the majority of the FTP traffic on the day the infected files were modified was from the following IP addresses:

89.36.84.249 which is Bucharest, Romania
98.209.145.133 which is Michigan, United States
74.211.69.79 which is New Mexico, United States
85.122.6.86 which is Bucharest, Romania
123.236.139.33 which is India
91.105.112.220 which is Great Britain, United Kingdom
96.20.117.224 which is Montreal, Canada
119.171.100.108 which is Tokyo, Japan
71.65.72.159 which is Ohio, United States
97.84.174.241 which is Michigan, United States
 

The interesting thing about this FTP traffic from various places around the world is that the exact same FTP username and password were used. There weren’t any failed login attempts with this username for the prior 6 months so we didn’t feel it was a brute force or dictionary attack on a weak password. This leads us to believe that this infection is another case of compromised FTP credentials.

Another interesting point is that the FTP traffic from these various IP addresses happened within minutes of each other and the number of files transferred from each IP address was 2. It appears from this information that the attackers were using a distributed network of compromised PCs (read botnet) to send the modified files to the website server.

This could be for a number of reasons.

But the one reason that seems most obvious is that the attackers know many people try to block their IP addresses. By using a botnet of remotely controlled PCs a website owner would have to block dynamic IP addresses. Would you block a range of IP addresses from a DSL connection in the United States? Probably not.

Having a website means handling traffic from visitors all over the world. If you’re going to start blocking groups of IP addresses, how will you know when you’re blocking innocent visitors? Wouldn’t that hurt your business?

The IP address that d0lpin.biz is hosted on show this for their whois:

 whois-d0lphin.biz

The whois on the domain d0lphin.bz is:

whois-domain-d0lphin.biz

Google’s report on the network hosting d0lphin.biz shows:

google-diags-network

FIRE’s maliciousnetworks.org shows this information for the network d0lphin.biz is hosted on:
 
FIRE-d0lphinNetwork
 
You see that their report shows 2 C&C Servers (Command and Control – the servers hackers use to control their botnets) and 2 exploit servers – both bad stuff.
 
Prevention of this type of attack on your website is simple. Keep your PCs clean of viruses. If want to be sure you’re PC is clean, don’t use an administrator account for your daily activities. If you can’t install software as your currently logged in user, neither can a virus.
 
What’s your thoughts on this new attack? Is there any further information you’d like to know? Let me know…