IFRAME Vulnerability Being Exploited Through Banner Ads

• URL: http://www.secureworks.com/research/threats/iframeads
• Date: November 21, 2004
• Author: Joe Stewart

Analysis 1: Virtumonde Adware

Virtumonde is a well-known adware trojan that hijacks victim browsers and forces them to display popup ads based on keywords in the sites they are visiting. For instance, a user visiting a page with keywords related to travel may display popup ads for sites such as vipfares.com, a discount-travel site with a long list of customer complaints about fraudulent practices.

Warning: Do not visit any of the URLs provided below in Internet Explorer or you will become infected. URLs have spaces added to prevent accidental click-throughs.

The infection process uses from the following 8 steps:

1. as.adwave.com / asFrame.aspx?GU=http:%2F%2Fwww.matchservice.com%2F?aid=tsmatch&lid=1&PT=Match+Service&SC=YES - banner ad
2. www.matchservice.com / ?aid=tsmatch&lid=1 - redirect to 4hotstocks.com / dating.php
3. 4hotstocks.com / dating.php - uses iframe to include URL #4
4. 83.149.86.132 / header.html - encrypted jscript which uses iframe to include URL #5
5. 83.149.86.132 / indexms.html - latest IE exploit - downloads and runs exe file at URL #6
6. 83.149.86.132 / minst.exe (2,560 bytes) - small downloader trojan - downloads and runs exe file at URL #7
7. 62.4.84.45 / minst.exe (40,960 bytes) - slightly larger downloader trojan. Checks to see if system has a .gov or .mil domain name, and exits if it does. If not, downloads and runs exe file at URL #8
8. 62.4.84.41 / mmdom.exe - Virtumonde adware trojan. Other code may be downloaded, such as updates.virtumonde.com / bkinst.exe

Another banner ad server is also serving up the infections:

oas-central.realmedia.com / RealMedia/ads/click_lx.ads/www.ap.com/ringtonegoldnovio3657abb/ 288414746/x01/ExactAdv/ringtonegold_io3657a_bbringtonegold_io3657a_bb.html/ 34316435643739393431323335313630?http:// www.ringtonegold.com /?aid=exact&lid=pp
- which downloads www.ringtonegold.com / ?aid=exact&lid=pp
- which includes in an iframe 4hotstocks.com / header.html?adsw
- which is the same as step #4 above.

Despite the references to "RealMedia", the site above is not connected to RealNetworks.

Analysis 2: Trojan.Agent.EC

There is another group using the IE IFRAME exploit to install a backdoor downloader trojan known as Trojan.Agent.EC. This scheme uses the following steps:

1. [1st hacked site]/index.html - includes base64-encoded javascript and a javascript base64 decoder. When the appended script is decoded, it uses an iframe to include URL #2
2. [2nd hacked site]/u/c.html - IE IFRAME buffer overflow exploit. Shellcode downloads trojan from URL #3
3. [2nd hacked site]/u/l.exe - downloader trojan - retrieves exe from URL #4
4. [2nd hacked site]/u/w.php - Delivers a backdoor trojan known as Trojan.Agent.EC. Listens on a random port for another executable of the attacker's choice to be uploaded and executed.

The sites above are being rotated frequently and are not just small, unknown sites - one of the hacked sites included a well-known Hollywood film studio's website.

Solution

If you are unable to avoid using Internet Explorer due to corporate policy or other obstacles, disable Active Scripting in the Internet Zone of Internet Explorer and only enable it for trusted sites until a patch is released from Microsoft. Note that this does not remove your exposure to the vulnerability, only from these threats which utilize javascript to exploit it. At this time XP SP2 is not affected due to unspecified code changes in the service pack. However, a new, unrelated exploit has just been released that may allow unprompted remote code installs on SP2, and it is expected that adware vendors/trojan authors will begin to use it in the near future.