[Some interesting research reported by Aleksandr Matrosov]

[Update: minor edits to graphics]

[Update 2: two additional FTP server graphics added at the end.]

Not long ago we received interesting information from an independent security researcher from Russia, Vladimir Kropotov. (We will be presenting our joint research with him at CARO 2012.) We started to research this information and found an interesting way to distribute by FTP the payload for the most common java exploit, which ESET calls Java/Exploit.CVE-2011-3544. At this time Java/Exploit.CVE-2011-3544 is not seen as an exploit kit: we have been tracking the attack by just one exploit and can’t replay the typical attacking vectors used in common exploit kits found on infected web resources.

After opening a window accessing a malicious web site the user is attacked using Java/Exploit.CVE-2011-3544:    

 The most interesting question is this: how does drive-by FTP work as a vector for a malicious payload? The answer is really simple: in the process of loading the page obfuscated javascript is started in an iFrame, connecting by FTP (File Transfer Protocol) to a malicious server.

 After deobfuscation we can see how it really works:

The most interesting part is its connection process, because it’s not a public FTP server connection with no password authentication. The attackers used a simple username and password pair for protection. The FTP session log looks like this: 

After a successful FTP connection a malicious applet is opened with Java/Exploit.CVE-2011-3544 on board. After the exploitation stage a malicious executable file is downloaded to the %TEMP% directory.

In our case the downloaded executable was a modification of the malware ESET calls Win32/TrojanClicker.Agent.NII. This trojan is used for Black Hat SEO processes (BHSEO) and may replace legitimate search engine results with its own favored links, clickjacking context ads and redirecting users from third party web sites.

C&C (Command and Control) servers are hosted on the following domains:

  • gerla.be/nconfirm.php?rev=367&code=3&param=0&num=251011548122112
  • gerla.be/njob.php?num=11272479403879762944&rev=367
  • eksyghskgsbakrys.com/nconfirm.php?rev=367&code=3&param=0&num=251011548122112
  • eksyghskgsbakrys.com /njob.php?num=11272479403879762944&rev=367
  • msrgejsdyvekadh.com/nconfirm.php?rev=367&code=3&param=0&num=251011548122112 msrgejsdyvekadh.com /njob.php?num=11272479403879762944&rev=367
  • alsiatern.be/nconfirm.php?rev=367&code=3&param=0&num=251011548122112
  • alsiatern.be/njob.php?num=11272479403879762944&rev=367&ncrp=1

This activity confirmed an active bot downloading its current tasks from the C&C servers. The task list for this version of the bot may look like this:

More detail about interesting web attack vectors will be disclosed in our CARO presentation in Munich in May.

In the meantime, here are a couple of extra screenshots from a malicious FTP server.

That's nicer than the FTP command line, isn't it? ;-) And also:

Aleksandr Matrosov
David Harley