RSS Feed

Subscribe to this feed

Categories

Tags

Archive

View archive statistics

Calendar

Mo	Tu	We	Th	Fr	Sa	Su
22	23	24	25	26	27	28
1	2	3	4	5	6	7
8	9	10	11	12	13	14
15	16	17	18	19	20	21
22	23	24	25	26	27	28
29	30	31	1	2	3	4

Articles by Author

Recent posts

Hackers use a Facebook hoax to plant Rouge AntimalwareRating: 0 / 0
Johnny Depp fake death notice - fake ActiveX codecRating: 0 / 0
Top 10 Chinese cyber attacksRating: 0 / 0

Blogroll

7/14/2009 3:49:00 PM

A comprehensive look at botnet attack incident

by Rony Michaely

An official website of the Iranian government was compromised. A hidden Iframe tag which retrieves an obfuscated malicious scripts which exploit multiple vulnerabilities was injected into the website. Visitors of the governmental website may end up with a Trojan downloader taking over their system.

During the last month we have been tracking a large botnet network, based upon El Fiesta tookit. Computers that were forcibly joined to the Botnet were exposed to information theft and were used for sending spam emails via live.com and via an internal SMTP engine installed by Trojan downloaders.

Image 1: The Iranian governmental website

Image 2: The Iranian governmental website page code compromised

Image 3: The obfuscated exploit page

Upon execution of the obfuscated code, the following vulnerabilities are exploited:

• Adobe Acrobat and Reader JBIG2 image stream buffer overflow
• Adobe Acrobat and Reader Multiple Arbitrary Code Execution
• NCTsoft NCTAudioFile2 ActiveX buffer overflow
• Microsoft 'msdds.dll' COM Object Heap Memory Vulnerability
• Microsoft Access Snapshot Viewer ActiveX
• MS Internet Explorer XML Parsing Buffer Overflow
• Microsoft Data Access Components (MDAC) remote code execution
• Microsoft Internet Explorer VML stack buffer overflow
• MS Internet Explorer WebViewFolderIcon remote code execution
• Firefox No Script local exploit
• FireFox behavior vulnerability

Upon successful exploitation, Trojans are installed on the infected computer making it part of the Hacker’s Botnet, which is being managed by El Fiesta toolkit. During the past month we have observed half a million infected hosts controlled by this Botnet server.

Image 4: El fiesta toolkit exploits and overall infected hosts (part1)

Image 5: El fiesta toolkit exploits and overall infected hosts (part2)

Image 6: Botnet Server statistics

Once our ‘Honeypot’ clients were controlled by the ‘El Fiesta’ botnet, they were used for sending Spam emails via live.com and via an internal SMTP engine installed by the Bot Trojans. The Spam emails contents were supplied by another web server hosted in Ukraine.

Image 7: An infected client sending Spam via live.com mail account

Image 8: An infected client sending Spam via internal SMTP engine

Image 9: The spam web server supplies the spam email header and content to be sent by the Bot client

One of the Trojans installed by the Botnet downloads a rouge Anti-virus program called Guarddog 2009. The rouge website is hosted on the same server of the El Fiesta toolkit.

Image 10: The Trojan downloader code