Not Funny: Serves Visitors Malware Again

Jan 16, 14 Not Funny: Serves Visitors Malware Again

Yesterday (Wednesday, January 15), Cracked Magazine’s website served malicious software to visitors via exploits that target a user’s web browser and plugins. In this case, malicious content originated directly from the website, and it is unlikely that the user would have noticed anything unusual while their system was attacked. For reference, a screenshot of Barracuda Labs’ malicious URL detection environment after successful compromise occurred is as follows.

January 2014 DDL Business as usual?

The chain of redirects began at the index of and concluded with delivery of exploit content and the installation of malware onto the visitor’s computer. These details are as follows.

-> hxxp://klamb[.]in/<redacted> (x2)
–> hxxp://lanim[.]nambon[.]in(:21093)/<redacted>
—> hxxp://palak[.]nambon[.]in(:21093)/<redacted>

In the above chain, content from the malicious domain (registered January 15, the same day as the start of the incident) originates via Cracked’s index page. No ad networks were involved, which means that some kind of direct website compromise occurred. A HTTP request to the klamb[.]in domain redirected to lanim[.]nambon[.]in,which responded with malicious content targeting both the web browser and the Java web plugin used by Barracuda Lab’s detection environment.

An exploit for CVE-2013-2551 (which targets vulnerable, 32-bit versions of Internet Explorer 6 through 10) successfully compromised the detection system’s web browser. Per VirusTotal scan results, the malicious software installed after successful exploitation is poorly detected (neither Symantec, McAfee, nor Trend’s AV offerings detect the file as malicious).

Barracuda Labs recommends that users refrain from visiting until the site’s operations group investigates the incident and certifies the site as safe. In addition, as has been repeatedly advised, users should keep their software updated to prevent exploitation of known vulnerabilities and avoid software with a poor security track record.

An archive containing a packet capture (PCAP) file showing (via some analysis) the exact sequence of events that led to system compromise can be downloaded here.

1 Comment

  1. Symantec, McAfee, and Trend didn’t find it? Well no kidding – those are possibly the worst AVs available.