Our Blog

entrepreneur.com compromised with CrimePack

Share

Wednesday, Jan 25, 2012

Today, Websense® ThreatSeeker® Network alerted us that entrepreneur.com has been compromised by cyber criminals, resulting in potentially malicious content being downloaded to a user's machine. Entrepreneur.com is a very popular information and community resource for small businesses on the web (see Alexa rank).

Websense customers are protected from these threats by ACE™, our Advanced Classification Engine.

Update: We have contacted entrepreneur.com to notify that their site was compromised and by the time this blog was published the issue had been fixed.

Analysis:

The attacker used the CrimePack exploit kit, which employs several different exploits to try to infect a user’s computer. We'll explain how this works in detail. Let's start by visiting the home page of entrepreneur.com where we notice an iframe injected into the page:

Picture 1: Hidden iframe injected into the home page of entrepreneur.com

We know this is an invisible iframe since its height is zero. This is suspicious enough to make us analyze the content of the target URL. Our analysis reveals that it contains a highly obfuscated JavaScript code (Picture 2).

We need to de-obfuscate it to see if this is malicious or not. On the first layer of de-obfuscation, we immediately notice that something is not quite right. The code tries to access the Java engine in various ways and loads a module named "cpack," which we surmise could be the CrimePack-generated code (Picture 3).

To confirm our suspicions, we need to de-obfuscate the second level, too, to get a clear overview of what redirections have been utilized during visits to this page. After de-obfuscating the second level, we see that the code creates another iframe that loads the "bof.php" file from the malicious server (Picture 4).

From its source code (Picture 5), we ascertain that this "bof.php" file is part of the CrimePack exploitation module.

If we take a second look at the index.php, we notice that it loads another JavaScript code called “detect.js” (Picture 6). This is a module that helps determine which plugins are installed in the browser. The exploit kit then uses this information to create a vulnerability matrix that describes what type of exploit can be successfully used in a user’s particular environment (Picture 7). 

Picture Gallery:

Picture 2: Highly obfuscated JavaScript code on the malicious site

Picture 3: Various modules are loaded from the first layer of de-obfuscated code

Picture 4: Java classes and iframes injected from the second layer of obfuscated code

Picture 5: CrimePack delivers Java exploit code to a user’s browser

Picture 6: A malware helper module uses a legitimate “Dean Edwards” obfuscation method

Picture 7: The helper module checks what plugins are installed on the browser enabling CrimePack to  build a vulnerability matrix

Tags Exploit

About the Author