When Fox-IT published their report regarding malvertisements coming from Yahoo, they estimated the attack began on December 30, 2013, while also noting that other reports indicated the attack may have begun earlier. Meanwhile, Yahoo intimated a different timeframe for the attack, claiming “From December 31 to January 3 on our European sites, we served some advertisements that did not meet our editorial guidelines – specifically, they spread malware.”
With so much uncertainty regarding this attack, Cisco TRAC decided to review what data we had to see if we could sort out some of the competing claims. Cisco Security Intelligence Operations data regarding the Yahoo incident supports the conclusion that the attack against Yahoo began on December 31. However, the malicious advertisements were just one attack in a long series of other attacks waged by the same group.
Fox-IT noted that the iframes in the malvertisements were redirecting visitors to various domains hosted on IP 193.169.245.78. Specifically called out in the blog are the following Indicator of Compromise (IoC) domains:
- boxsdiscussing.net
- crisisreverse.net
- limitingbeyond.net
- and “others”
When Cisco TRAC searched for hosts present in the 193.169.244.0/23 netblock (to which the IP 193.169.245.78 observed by Fox-IT belongs), we found a large cache of 21,971 hostnames from 393 different domains that fit the exact same pattern as the domains used in the malicious ads on Yahoo. All domains have hostnames that begin with the a series of numbers, contain two to six cryptic subdomain labels in the middle, and end with two random words in the second-level domain label, often sharing a common Top Level Domain (TLD).
It is interesting to note that many of these domains were in use before the incident at Yahoo. Network administrators may wish to download a copy of the domain list, and check their network logs for evidence of traffic going to any of these malicious domains. Because these malicious domains originate from different IP addresses within the 193.169.244.0/23 netblock (not just 193.169.245.78), and because we still see activity for these domains as recently as January 9, 2014, Cisco TRAC advises network administrators to block this entire range of IP addresses.
Rather than presenting an exploit kit, our data shows that most of the time these malicious domains present the visitor with an HTTP response code 302 redirect to the domains ptp22.com or ptp33.com. Both ptp22.com and ptp33.com domains process data for a pay-per-click affiliate program run by an organization called Paid-To-Promote.Net.
I signed up for a test account at Paid-To-Promote.Net to have a peek at the code they generate for placement on web pages. The affiliate links are identical –except of course for the userid that is being paid for the traffic.
By checking the Referer information from the requests to the malicious domains at 193.169.244.0/23, it appears that typically this group operates by infecting websites with the aim of planting HTML code on the site, which directs the site’s visitors to one of the malicious domains. The malicious domains then provide a 302 redirect that generates paid traffic via the Paid-To-Promote.Net affiliate program, in effect monetizing traffic from the victimized websites.
This is not the first time either. By looking for traffic to the affiliate program, we were able to identify some older domain infrastructure inside 199.204.72.0/24, which appears to have been used by the same group for the same purpose, beginning on November 28, 2013 and continuing well into early January. Blocking this IP range may also be a good idea as there is no way to know whether this group has plans to spin up additional domains using the same IP infrastructure.
For the protection of our customers, the domains mentioned in this post are all being blocked by Cisco. Thanks to Gregg Conklin, Mary Landesman, and Seth Hanford for their assistance with this post.
References:
http://hitmanpro.wordpress.com/2014/01/05/malware-served-via-yahoo-affected-millions/
http://blog.fox-it.com/2014/01/03/malicious-advertisements-served-via-yahoo/
Very interesting research Jaeson. An anomaly detection mechanism I see possible here is to flag as suspicious domains with a very large number of subdomains pointing to very compact or very distributed IP address spaces. What do you think?
Francesco Ongaro,
http://www.easyaudit.org/
Thanks for your comment Francesco. I think your idea has merit.
First, most domains do not have tens of thousands of subdomains. So that right there is one bit of behavior that should cause us to pause and take a closer look.
Second, many DNS names possess two, three, or even four subdomain labels (ex. “host.example.com” has two subdomain labels), but having a minimum of four and as many as eight labels for subdomains is certainly eyebrow raising. The fact that most of the subdomain labels are gibberish is yet another red flag.
Third, as you note, there are a large number of subdomains pointed at a small number of IPs. I have seen other cases where similar behavior has turned out to be bad. For example, spammers who encode the recipient’s address in the hostname of a link, and all hostnames resolve to the same IP.
I don’t know that a large number of subdomains resolving to wildly different IPs would be as useful a technique. In my opinion the potential for FPs may be greater here.
If you end up testing any of these we would appreciate hearing your feedback. Thanks again for your comment and for reading our blog!