Yesterday evening (Prague time) I spotted a curious question on Twitter from journalist Brian Krebs asking about possible malware on one of LA Times websites:It made me wonder, because having such detection would definitely provoke few of our users to claim a false positive in avast!
There was an incident earlier this week where Google Safe Browsing system overreacted a bit and killed the domain of an ad provider, causing malware warnings on multiple large sites, including the LA Times. This was just a false alarm, no malware was distributed by the affected sites and it also shows why false alarms can induce risky behavior of the users - if they're convinced that they "know what they're doing" and then they're also assured that it is safe to enter the site despite the warnings, they may do so on another occasion when there's real attack aiming at them.
So I thought we're talking about that, because, as I also checked, according to this list, LA Times is the 4th biggest newspaper in USA, and according to Alexa, its website is 7th biggest newspaper website, so we would expect lots of telemetry records and also some FP reports.
With a bit of distrust I dug in our telemetry collected from our dear CommunityIQ users and yes, it was there. Fortunately for most of the users, only one of the low-profile websites was infected, so the assumed number of the infected people is not really high. But! I checked yesterday's stats, then day-before-yesterday and the result was a bit of shocker! We have consecutive reports of malicious iframes on their sub-site from 23rd of December and it is still working there while I'm writing this blog.
The iframe points to intermediary ip site, which immediately redirects to domain hosting Black Hole 2 exploit kit. Websites used in this attack are hosted in USA (intermediary, most probably hacked) and Netherlands (colocation, domain used from some free Chilean provider, maybe also hacked).
There was a lot written about the Black Hole kit - in simple terms it's a bunch of malicious modules which try to exploit various browsers plugins' vulnerabilities. As we checked last time, only about third of our user-base have these fully updated - the rest are in danger visiting such site without a modern AV, which, despite what some self-called experts say, is not something you should give up.
Before posting this blog, we wanted to verify our telemetry because sometimes we may get false telemetry data - it may be sent from the already hijacked machine. Proxies, etc/hosts rewrites, malicious network drivers, even hacked routers, all of these may create false telemetry submits. After a while, we were pretty sure it is not the case, but most of the automated tools still verified the site as clean. Only by some manual verification we were able to record Fiddler session which clearly shows how the infection runs.
Because we were getting both the clean replies and also the replies with the malicious iframe inserted (see the screenshot above), we're pretty sure we're seeing the HTTP server with installed malicious module, which changes the file on the fly - they're unmodified on the disk so that the admins see only clean files and uploading 'verified clean' file would not fix anything. The malicious modules were first described by Unmask Parasites and later also in Eric Romang blog - identified as Darkleech. This module does contact its command & control server to get new iframe data from time to time, making us create newer and newer network blocks.
We also tried today to contact the IT department of the Tribune (owners of LA Times), but were not yet successful. Finding real human contact on commercial websites today seems like a task for people with much more time on their hands than ours.
Last word - as usual we assure you that we had our users protected - we had the detections on the infected website, all the intermediary sites and also the destination sites were blocked, we also detect various parts of the exploit kits and also the binaries were detected or blocked by our Autosandbox technology.