March 6th, 2009

USAID.gov compromised, malware and exploits served

Posted by Dancho Danchev @ 8:25 am

Categories: Adobe, Anti Virus, Arbitrary Code Execution, Botnets, Browsers, Exploit code, Hackers, Malware, Passwords, Pen testing

Tags: Security, USAID, Azerbaijan, Cybercrime, Rogue Security Software, Russian Business Network, Adobe Exploits, Dancho Danchev

The Azerbaijan section at the United States Agency for International Development (azerbaijan.usaid.gov) has been compromised and is embedded with malware and exploits serving scripts approximately around the 1st of March. The malicious script is taking advantage of a series of redirects which are dynamically loading live exploits, or rogue security software and are all currently active. Roger Thompson at AVG Technologies featured a video demonstrating what happens when an unprotected user visits the site.

Let’s dissect the attack, take into consideration the big picture, and bring a skeleton out of the closet — one of the malware’s phone back locations is a domain exclusively used by the Russian Business Network back in January, 2008.

This particular campaign relies on an embedded malicious script that appears to be dynamically creating subdomains within the cybercriminal’s controlled domain. For instance, cs.ucsb.edu.4afad2ceace1e653.should-be .cn/jan10 .cn is where the first redirection in USAID.gov’s attack takes place. From there, the surfer is taken to orderasia .cn/index.php and then to orderasia .cn/iepdf.php?f=old where the exploitation of multiple (patched) Adobe Reader and Acrobat buffer overflows takes place. Upon successful exploitation, a downloader with an improving signatures-based detection rate during the past several hours is served.

It gets even more interesting when the phone back location of the malware fileuploader .cn/check/check.php is revealed. The domain in question was exclusively used by Russian Business Network/customers of the RBN in January, 2008 part of the cybercrime powerhouse’s attempt to throw sand in the eyes of the community by issuing fake account suspended notices whereas the malware campaigns remained active.

USAID.gov’s insecurities appear to be a juicy target for cybercriminals. In 2007, the site’s Tanzanian section was hacked with links redirecting to Zlob malware, followed by another research released the same year putting USAID.gov among some of the key spam doorways which WebmasterWorld analyzed back then.

Moreover, in 2007 cybercriminals indicated their ability and desire to target international governments’ web sites in an attempt to use them as infection vectors in the face of such incidents as the malware embedded French Embassy in Libya; the Syrian Embassy in London; the U.S Consulate in St. Petersburg; the The Dutch Embassy in Moscow; and most recently the Embassy of Brazil in India followed by the Embassy of India in Spain - and the list is prone to expand, that’s for sure.