2014-03-08 - .HTACCESS REDIRECT TO ADULTFRIENDFINDER.COM AND NEUTRINO EK

ASSOCIATED FILES:

NOTES:

A compromised web server's .htaccess file can be used for an ".htaccess attack" where a visit through a search engine (like Google) returns a 302 response by the web server.  The 302 response points to a different web page than the one you were looking for.  In traffic like I have for today's blog entry, an .htaccess attack can be used to deliver malware.

Here's a good article that explains the process:

If you Google adultfriendfinder redirect, you'll find complaints about redirects to adultfriendfinder.com as far back as 2005.

For the past 5 months or so, I've noticed .htaccess redirects to adultfriendfinder have hidden another redirect to a Neutrino exploit kit.  Whenever adultfriendfinder.com mysteriously appears, I always check for Neutrino EK traffic.  I've rarely been dissappointed.  If the user doesn't get infected, I've at least found some traffic to the Neutrino exploit domain.


This is what happened in today's traffic when I clicked on a search result for www.tollywood.net...
I removed the pornographic image from the PCAP.

 

Adultfriendfinder.com itself isn't the problem--as far as I can tell, it's the redirect domain's fault.  I haven't infected any hosts by purposefully viewing the site in a web browser.  At this point, I've only noticed the relationship between redirects to adultfriendfinder and Neutrino.  A prevous blog post back in December briefly mentions it without going into any detail (link).  Here's a flow chart that better explains today's traffic:

 

Here's what the HTTP GET requests looks like when I review them in Wireshark:

Let's take a closer look at the infection traffic...

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS

INFECTION CHAIN OF EVENTS (Neutrino EK traffic in bold)

 

PRELIMINARY MALWARE ANALYSIS

CVE-2013-0074 SILVERLIGHT EXPLOIT

File name:  2014-03-08-Neutrino-EK-silverlight-exploit.xap
File size:  14.5 KB ( 14885 bytes )
MD5 hash:  7f510e9a1f25469b69899a29e75d5bf9
Detection ratio:  4 / 50
First submission:  2014-03-01 06:45:46 UTC
Notes:  I first saw this exploit on 2014-03-01 (infection described here).
VirusTotal link: https://www.virustotal.com/en/file/23b815328b4b73cc7f7678ba43c0ac462a840909041111a4d10c32fda9887bac/analysis/

 

MALWARE PAYLOAD

File name:  2014-03-08-Neutrino-EK-malware-payload.exe
File size:  126.7 KB ( 129718 bytes )
MD5 hash:  11fb5365e38646378eee9fbec3647f79
Detection ratio:  6 / 50
First submission:  2014-03-08 06:24:22 UTC
VirusTotal link: https://www.virustotal.com/en/file/db1d807f5216176d49fb492a505b992343c2a19a0ee4b7a73c423888b33f3aea/analysis/
Malwr link: https://malwr.com/analysis/YjI4ZjhlZTBhNDZlNGFkOTg3NTgzYzU0ZDRmZmQxNjE/

 

SNORT EVENTS

SNORT EVENTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

 

HIGHLIGHTS FROM THE TRAFFIC

302 redirect caused by the web server's .htaccess file - www.tollywood.net/

 

Base64 encoded script (highlighted in yellow) that translates to an iframe for the Neutrino EK (translation at the bottom of the image)
xfd35snx9ucrvtppxre8xti517653a14e12616e742451e29574fc161.estetikcerrahlar.gen.tr/index2.php

 

Neutrino EK delivers Silverlight exploit - fixeghoh.koivaino.com:8000/angfsw?hvyrmi=ysuszxe

 

Silverlight exploit delivers EXE payload - fixeghoh.koivaino.com:8000/fnopwcfmoix?hxtnu=ysuszxe


The payload is XOR-ed with the ASCII string: eubh

 

FINAL NOTES

Once again, here are links for the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.