Now that you have a better understanding of fast-flux technique, the different types, and the malware involved, let's see how the malware distribution process works. This is a real world example of a MySpace drive-by/phish attack vectors propagating Fast Flux network growth. In this example we identify two infection vectors:
1. Compromised MySpace Member profiles redirecting to drive-by/phish
2. SWF Flash image malicious redirection to drive-by/phish
We start with profile redirection in MySpace member profiles using iframes. Notice in this example just how many times iframes are called, often simply redirecting to another iframe. Also note the heavy use of obfuscated JavaScript. The attack begins when a connection is made to the domain http://xxx.e4447aa2.com.
By following the above /da3e/index.php link, we end up going to a credible looking MySpace landing page (serviced in flux) with the most interesting footer element displayed below:
The iframe rendered /.footer_01.gif , which is not an actual gif file, but instead an encoded/obfuscated JavaScript snippet. Below we can see the obfuscated JavaScript code it feeds us.
The decoded result of the above JavaScript is seen below, which is nothing more then another iframe redirecting with a connection to another site.
The Iframe rendered /header_03.gif (served in flux) results in another JavaScript encoded/obfuscated file for which the decoded result of the above /header_03.gif is:
Following the iframe rendered /routine.php file results in another JavaScript encoded/obfuscated file. The decoded result of /routine.php is an attempt to exploit vulnerable IE client browsers using the Internet Explorer (MDAC) Remote Code Execution Exploit (MS06-014) for which Microsoft released a patch in May 2006. Below is the decode of the actual attack. Be Careful, This is Live Exploit Code.
The successful compromise of a windows host via this exploit content results in the download of a malicious downloader stub executable session.exe that is then responsible for attempting to download additional malicious components necessary for integrate new compromised hosts into a fast flux service network. The malware sample session.exe above attempts to download and execute the following components:
http://xxx.myfiles.hk/exes/webdl3x/weby.exe
http://xxx.myfiles.hk/exes/webdl3x/oly.exe
http://xxx.camgenie.com/weby7.exe
Supporting Detail:
Following are a representative sampling of URLs to imageshack.us site hosted flash files that simply perform one simple action, an action-script based browser redirect to a flux-hosted combination phishing/drive by exploit that leverages the Internet Explorer (MDAC) Remote Code Execution Exploit (MS06-014). All files are exactly the same based on same md5 and sha1 hashes for all files:
MD5:6eaf6eed47fb52a6a87da8c829c7f8a0
SHA1: dc60b0fedf54eaf055c64ae6d434b8fc18252740
Imageshack HTTP Server maintained modification time suggest swf file compile time of 2007-06-05 03:56:30-0700. Decompiling the flash component results in:
$ swfdump -atp ./xxx.imageshack.us/img527/3530/38023350se6.swf
[HEADER] File version: 8
[HEADER] File size: 98
[HEADER] Frame rate: 120.000000
[HEADER] Frame count: 1
[HEADER] Movie width: 1.00
[HEADER] Movie height: 1.00
[045] 4 FILEATTRIBUTES
[009] 3 SETBACKGROUNDCOLOR (ff/ff/ff)
[018] 31 PROTECT
[00c] 28 DOACTION
( 24 bytes) action: GetUrl URL:"http://xxx.e447aa2.com" Label:""
( 0 bytes) action: End
[001] 0 SHOWFRAME 1 (00:00:00,000)
[000] 0 END
Below are a few examples of URLs that host the same flash files:
http://xxx.imageshack.us/img116/1299/97231039qx0.swf
http://xxx.imageshack.us/img116/1424/81562934sa1.swf
http://xxx.imageshack.us/img116/1699/63088115dg4.swf
http://xxx.imageshack.us/img116/1700/81458378cv3.swf
http://xxx.imageshack.us/img116/2453/70754097cm0.swf
http://xxx.imageshack.us/img116/2456/14892185hl4.swf
http://xxx.imageshack.us/img116/8345/26333607xo4.swf
http://xxx.imageshack.us/img120/3595/53060403mw7.swf
The following are examples of flux serviced MySpace phish/drive-by domains referenced from presumably compromised MySpace user accounts, which were observed during the same time period between 2007-06-26 17:35:44 and 23:18:00 (EDT -0400)
xxx.myspace.com.index.cfm.fuseaction.user.mytoken.00b24yqc.ac8a562.com
xxx.myspace.com.index.cfm.fuseaction.user.mytoken.0c38outb.h5v17lt.com
xxx.myspace.com.index.cfm.fuseaction.user.mytoken.0en0r8xd.115534a.com
xxx.myspace.com.index.cfm.fuseaction.user.mytoken.0l3ttn77.oqrhldv.com
xxx.myspace.com.index.cfm.fuseaction.user.mytoken.0w4c4w74.jk33v96.com
xxx.myspace.com.index.cfm.fuseaction.user.mytoken.3kuto9a4.de082ak.com
xxx.myspace.com.index.cfm.fuseaction.user.mytoken.5c1wkjil.kirjmbr.com