entrepreneur.com compromised with CrimePack
Today, Websense® ThreatSeeker® Network alerted us that entrepreneur.com has been compromised by cyber criminals, resulting in potentially malicious content being downloaded to a user's machine. Entrepreneur.com is a very popular information and community resource for small businesses on the web (see Alexa rank).
Websense customers are protected from these threats by ACE™, our Advanced Classification Engine.
Update: We have contacted entrepreneur.com to notify that their site was compromised and by the time this blog was published the issue had been fixed.
The attacker used the CrimePack exploit kit, which employs several different exploits to try to infect a user’s computer. We'll explain how this works in detail. Let's start by visiting the home page of entrepreneur.com where we notice an iframe injected into the page:
Picture 1: Hidden iframe injected into the home page of entrepreneur.com
We need to de-obfuscate it to see if this is malicious or not. On the first layer of de-obfuscation, we immediately notice that something is not quite right. The code tries to access the Java engine in various ways and loads a module named "cpack," which we surmise could be the CrimePack-generated code (Picture 3).
To confirm our suspicions, we need to de-obfuscate the second level, too, to get a clear overview of what redirections have been utilized during visits to this page. After de-obfuscating the second level, we see that the code creates another iframe that loads the "bof.php" file from the malicious server (Picture 4).
From its source code (Picture 5), we ascertain that this "bof.php" file is part of the CrimePack exploitation module.
Picture 3: Various modules are loaded from the first layer of de-obfuscated code
Picture 4: Java classes and iframes injected from the second layer of obfuscated code
Picture 5: CrimePack delivers Java exploit code to a user’s browser
Picture 6: A malware helper module uses a legitimate “Dean Edwards” obfuscation method
Picture 7: The helper module checks what plugins are installed on the browser enabling CrimePack to build a vulnerability matrix