CNN Pope spam repackaged year-old java exploit and evaded antivirus software

Print Friendly, PDF & Email

By Dave Michmerhuizen – Research Scientist

The recent flood of spam spoofing cnn reports concerning the new Pope highlights how effective ‘old' attack vectors remain.

On March 17th the spam honeypots at Barracuda Labs began receiving a huge number of malicious spams presented as CNN breaking news updates, that contained a fake news alert that the new Pope was being sued for alleged sexual abuse.

Spam mentioning current events is hardly a new development, but it is worth examining how the details of this attack combine to make it particularly dangerous:

  • Clever Social Engineering The initial spam (shown above) was designed to look just like a CNN breaking news alert, a form of email that the CNN website sends to subscribers when an important news story occurs.  People who regularly receive these messages come to trust them and click the links without examining them as closely as they would other email.  Spoofing trusted brands like these means more clicks and more victims, especially computer users who might otherwise normally be careful with their email.
  • An attack in force.Spam campaigns have a limited time window to operate before anti-spam efforts shut them down.  Spammers adjust by carefully preparing their infrastructure and then sending spam at full speed for as long as they can.  We saw the volume of this spam in our detection network go from zero to a half million in the course of one day.  From this, we can extrapolate that the wider internet received millions of these messages almost all at once.  By the time reactive anti-spam and anti-virus systems see them, it's already too late.
  • Hiding behind hacked websitesA common way of identifying spam containing malicious links is to filter out links leading to domains that have poor internet reputations.  Spammers get around this step by hacking legitimate websites and using them to host code that redirects visitors to their main attack site.  Since the hacked website has an otherwise good reputation, emails with links to those websites sail through.  All of the links found in this Pope spam attack used domains from reputable sites that had been hacked. 
    1. The attacking HTML first used uses an applet tag to load a Java archive file.  The .jar file is not loaded by name, but implicitly via a .php script.
    2. If for some reason applet tag loading was disabled in the browser, a block of obfuscated JavaScript attempts to load the same Java file.
    3. If it is determined that Java is up-to-date and not vulnerable, a PDF vulnerability is then attempted, Win32/Pdfjsc.AGX.A three pronged attackClicking on a Pope spam link eventually lands you on the domain used to actually attack the browser.  This domain most likely hosts the Blackhole exploit kit, which makes at least three different attempts, not against the browser itself, but against plug-ins that the browser uses.  Studies have shown that 40% of Java installations are out-of-date versions that are vulnerable to attack.
  • Mixing it up the obfuscation methods used to obscure the JavaScript on the attack page changes over time so as to evade detection.  After 48 hours, the attack changed to look like this
  • A new twist on an old exploit the Java archive file downloaded by the attack code exploits CVE-2012-0507.  This  vulnerability is over a year old and has been patched, but like we said, many computers still haven't been updated to the patched versions.  You would expect antivirus programs to detect the file, but the Java code has been written in such a way to hide its intent from antivirus programs.  Our first samples of the Java archive were completely undetected by any antivirus listed on virustotal.com.  Thus, even though an exploit is known, and attacks targeting those exploits are known, a clever hacker can re-code the attack to evade antivirus programs.  That's what happened here.  During the time period when most of the spams were sent, no antivirus program protected anyone who followed the spammed link.
  • The payload wears a disguise the ultimate purpose of the JavaScript and Java archives is to download an executable that burrows into windows and steals usernames and passwords. To further evade antivirus programs this executable is actually encrypted, and the Java archive code decrypts it before executing it. None of the payloads we tested were ever detected by any of the antivirus programs.
  • A final sleight of hand once all of the exploiting and downloading was done, the final act of the attack code was to send the browser to CNN.com.  This gives the victim the impression that clicking on the spammed “breaking news alert” email actually did something and keeps them from suspecting that an infection occurred.

Recent media coverage has raised the profile of spear phishing attacks and sophisticated APT compromises, but the most common threat to businesses and individuals is still massively distributed hit-and-run attacks that take advantage of vulnerability-ridden browser plug-ins.  As long as computer users neglect to update their software, attack vectors like Adobe's Flash, Adobe's PDF Reader and Oracle's Java will continue to be exploited and malware infections will succeed.

Defense in depth is the best answer we have available.  Spam filtering, malware filtering, antivirus and application whitelisting are all important steps to take to protect users from the internet – and themselves.  Concerned users and admins should add sandboxing to their toolkit as well.  While this technology introduces some small inconvenience, the peace of mind is well worth it in the end.

 

 

Scroll to top
Tweet
Share
Share