Yesterday (Wednesday, January 15), Cracked Magazine’s website served malicious software to visitors via exploits that target a user’s web browser and plugins. In this case, malicious content originated directly from the Cracked.com website, and it is unlikely that the user would have noticed anything unusual while their system was attacked. For reference, a screenshot of Barracuda Labs’ malicious URL detection environment after successful compromise occurred is as follows.
Cracked.com: Business as usual?
The chain of redirects began at the index of Cracked.com and concluded with delivery of exploit content and the installation of malware onto the visitor’s computer. These details are as follows.
-> hxxp://klamb[.]in/<redacted> (x2)
In the above chain, content from the malicious domain (registered January 15, the same day as the start of the incident) originates via Cracked’s index page. No ad networks were involved, which means that some kind of direct website compromise occurred. A HTTP request to the klamb[.]in domain redirected to lanim[.]nambon[.]in,which responded with malicious content targeting both the web browser and the Java web plugin used by Barracuda Lab’s detection environment.
An exploit for CVE-2013-2551 (which targets vulnerable, 32-bit versions of Internet Explorer 6 through 10) successfully compromised the detection system’s web browser. Per VirusTotal scan results, the malicious software installed after successful exploitation is poorly detected (neither Symantec, McAfee, nor Trend’s AV offerings detect the file as malicious).
Barracuda Labs recommends that users refrain from visiting Cracked.com until the site’s operations group investigates the incident and certifies the site as safe. In addition, as has been repeatedly advised, users should keep their software updated to prevent exploitation of known vulnerabilities and avoid software with a poor security track record.
An archive containing a packet capture (PCAP) file showing (via some analysis) the exact sequence of events that led to system compromise can be downloaded here.