Sub-domain on SourceForge redirects to Flash Pack Exploit Kit

Posted August 25, 2014 by Jérôme Segura

We have talked about SourceForge before on this blog, in particular when they were associated with bundled software.

This time around, we are going to take a look at an infected sub-domain hosted on SourceForge responsible for a drive-by download attack.

Redirection overview

The first redirection is located within a JavaScript file:

hxxp://ydoqux.sourceforge.net/isoochamernd.js

This calls to stat-count.dnsdynamic.com a domain previously identified as a source of malicious activity. This one is no different:

You may recognize the URL landing for the Flash Pack Exploit Kit. There is an interesting series of redirections and here’s the flow:

hxxp://yi4dtvjlvfvos6ffvnxxklf.alobakkal.net/index.php?w=anM9MSZuc29sbHZpej1qdmRhY2FoJnRpbWU9MTQwODI1MDE1NDI5NzcyNDgyNiZzcmM9MjIwJnN1cmw9YW50aWRvci5uZXQmc3BvcnQ9ODAma2V5PTgxQkZCQUJFJnN1cmk9L2FkL3NvdXJjZWZvcmdlL2FkXzA5Ny8xNTkyMDE0NjYv
hxxp://yi4dtvjlvfvos6ffvnxxklf622053f032259300cb84bd8aa84eae65a.alobakkal.net/index2.php
hxxp://yi4dtvjlvfvos6ffvnxxklf.alobakkal.net/coder/index.php
hxxp://yi4dtvjlvfvos6ffvnxxklf.alobakkal.net/coder/js/swfobject.js
hxxp://yi4dtvjlvfvos6ffvnxxklf.alobakkal.net/coder/client_do.swf

The last URL is a Flash file, VT detection here.

Another redirection caught our attention:

hxxp://5.45.74.48/coder/gate.php?id=0oPDPAPoP6PDPAPoodjd6SPDPdojProdPrPPo6j0djdi0dPkPAodj0djdi0dP0ojPDPPjdd6ddjd0oPDPAP6Prooodji0L0ijd0o6D6Ajidkdkjtd0jtd0didjjtdkd6dPjddkdid0d0jddod6djjdP0PA

A Flash file with a peculiar name for its classes:

Payload

hxxp://pikistude.mol-hit.com/coder/loadfla0515.php

The payload (VT results) is detected by Malwarebytes Anti-Malware as Trojan.Agent.ED.

The video below shows the exploit happening and getting blocked by our Malwarebytes Anti-Exploit:

We have spotted similar redirections to the Flash Pack exploit kit in other popular sites as well. Whether is it part of a larger campaign is hard to say but it is particularly active at the moment.

Drive-by download attacks are the number one vector for malware infections. Legitimate websites often fall victim to malicious injections stealing incoming traffic and sending it to booby-trapped pages. Within seconds, an unpatched computer could get infected with a nasty piece of malware.

On top of keeping your computer up-to-date and running the latest versions of antivirus and anti-malware software, adding an additional layer of protection against exploits greatly reduces the attack surface the bad guys are banking on.

@jeromesegura

COMMENTS

Pingback: Sub-domain on SourceForge redirects to Flash Pack Exploit Kit - nickelberg()
Travolta-fied_name

“… adding an additional layer of protection against exploits greatly reduces the attack surface the bad guys are banking on.”

Amen to that, nice write up. Installing MBA-Exploit in 5… 4…3… 🙂
Heath Bothell

Will MBAE FREE protcet me from stuff like that on other pages?
Jérôme Segura

MBAM free is mainly to clean infections after the fact. The Premium version will prevent malware from getting onto the system.
Jérôme Segura

Thanks.
Travolta-fied_name

You’re welcome. Just installed MBA-Exploit Free… how does the program’s definitions get updated or is that only available in the premium (paid) version?
Jérôme Segura

Every now and again, the program may prompt you for a global update (enhancements, bug fixes) but Anti-Exploit does not rely on signatures like traditional antivirus programs. So once you install it you’re good to go!

The free version protects you from all types of web based drive-by downloads and Java applets.
The premium adds protection for additional programs such as Word, Excel etc… but those are typically sent as spear phishing or spam, rather than delivered via a compromised site.
Jacob Moorman

The referenced project (ydoqux) has been purged by the SourceForge Team. I’m not aware that this issue was escalated to us prior to publication. Contact info for reporting (should you find issues in the future) is available at: http://sourceforge.net/security/
Jérôme Segura

Hi Jacob,

Thanks for that. There were earlier reports of the same attack on this blog: http://malware-traffic-analysis.net/2014/08/11/index.html

Are these ones taken care of?

Will bookmark that sourceforge link for future reference. Thanks again!
Travolta-fied_name

Ahh, I see thank you for the excellent info/description… so the program starts at Windows boot not in fact when launching a “protected” browser (as confirmed by Autoruns)…I only just now noticed the icon in systray.
Jacob Moorman

Those have been handled now as well. I appreciate the heads-up!
Jérôme Segura

The program starts with Windows loading and stays there. If you show the program interface, you will noticed that it will say when a new process has been launched, that this process is now protected. (typically your browser).
That’s something I like about this product, it protects you without bloating your machine or without annoying messages. The only time it will pop up is when an exploit has been blocked, which is always good to know! 🙂
Heath Bothell

so that means it would clean up after infection and nothing would be there?
Heath Bothell

also what is cmd.exe? i got blocked from an exploit when i clicked open texturepack folder in minecraft
Pingback: A Week in Security (Aug 24 – 30) | Malwarebytes Unpacked()
Pingback: Internet Crime Fighters Organization FlashPack Exploit kit - Internet Crime Fighters Organization()

RELATED ARTICLES

Exploits | Threat analysis

Citadel: a cyber-criminal’s ultimate weapon?

November 5, 2012 - In old times, a citadel was a fortress used as the last line of defense. For cyber criminals it is a powerful and state-of-the-art toolkit to both distribute malware and manage infected computers (bots). Citadel is an offspring of the (too) popular Zeus crimekit whose main goal is to steal banking credentials by capturing keystrokes...

CONTINUE READING No Comments

Exploits | Threat analysis

Web Exploits: a bright future ahead

January 2, 2013 - The majority of computers get infected from visiting a specially crafted webpage that exploits one or multiple software vulnerabilities. It could be by clicking a link within an email or simply browsing the net, and it happens silently without any user interaction whatsoever. Vulnerabilities are flaws that exist in various programs and that allow someone to...

CONTINUE READING 2 Comments

Exploits | Threat analysis

Zero-Day Java vulnerability wreaks havoc on computers worldwide

January 14, 2013 - Update (1/14/2013) Oracle has issued an emergency patch to be shipped with version 7 update 11. While we are pleased to see a quick turnaround time, we stand by our initial recommendations to disable Java in your browser. This is still the most exploited piece of software and whether it is patched or not still unnecessarily puts you...

CONTINUE READING 1 Comment

Exploits | Threat analysis

New Exploit Kit, Ransomware and AV evasion

March 14, 2013 - Ransomware is still going strong and infecting countless PCs. We happened to stumble upon an interesting sample part of the Urausy family which bypassed detection on all major antivirus products for almost an entire day before slowly being detected. In this post we will give some information on its background (where it came from) and...

CONTINUE READING No Comments

Exploits | Threat analysis

Redkit Exploit Kit does the splits

April 5, 2013 - Exploit Kit authors must really love Java . Not only is it ripe with vulnerabilities but its own language provides a great platform to write and deliver malware in different ways. We are used to seeing encrypted payloads (XOR, AES encryption), applets containing both the exploit itself and the binary payload. Today we will talk...

CONTINUE READING No Comments

ABOUT THE AUTHOR

Jérôme Segura
Lead Malware Intelligence Analyst

Security researcher with a focus on malvertising, exploits, and scams. French; appreciates wine, bread, and cheese.

CATEGORIES

101 Cybercrime Malwarebytes news Security world Threat analysis

TOP POSTS