Websense Security Labs Blog

Websense Security Labs discovers, investigates and reports on advanced Internet threats that traditional security
research methods miss.

The Institute for National Security Studies (Israel) falls prey to Poison Ivy infection

View all posts > 

The Institute for National Security Studies (Israel) falls prey to Poison Ivy infection

Posted: 02 May 2012 01:06 AM | Gianluca Giuliani | no comments


The Websense® ThreatSeeker® Network has detected that the Institute for National Security Studies (INSS) website in Israel was injected with malicious code. INSS is described in its website as an independent academic institute that studies key issues relating to Israel's national security and Middle East affairs.

 

While we can't determine that the infection of this website with exploit code is part of a targeted attack, one could deduce that visitors to this type of site are likely to have an interest in national security or are occupied in this field. The website appears to be injected with malicious code for over a week now. (Websense' ACE provided protection against the type of injected malicious code since early 2009)

 

One of the interesting facts about this infection is that it uses the same Java exploit vector (CVE-2012-0507) that managed to infect around 600,000 Mac users in a massive scatter attack dubbed Flashback a few weeks ago.

 

It's also worth noting that in the last few months, Israeli websites have been under continuous cyber-based threats and attacks. We don't think that this latest infection is part of an organized mass infection campaign but is probably just part of that trend. We continue to look for additional websites leading to the exploit website.

 

We have contacted the Webmaster of the website and notified them on the issue and the location of the injected code on the website, so far, we haven't heard back from them.

 

Websense customers are protected proactively from these threats by ACE, our Advanced Classification Engine.

 

 

Here's how this exploit works: if users visit the home page of the INSS website, the injected malicious Javascript code loads a Java exploiter. The injected code shown below consists of a "document.write" function call that uses decimal-encoded string characters to hide the exploit URL. Once decoded, the destination page may be retrieved. This means that users are silently redirected to the exploit page while their browser loads the website's home page:

 

The obfuscated injected content on the INSS home page looks like this:

 

 

Here's the decoded content:

 

 

And the content of the out.htm web page:

 

 

By merely looking at the code snippet above, we can see that the applet class's name suggests its intentions: "msf.x.Exploit.class." After further investigation, we detected that "test.jar" holds the exploit of the well-known Java vulnerability CVE-2012-0507. The inner workings of the "test.jar" file reveal that it contains a rather large compressed text file called "abc.txt" that is filled with a huge number of "a" characters. Once decompressed, the file size is about 104 MB. We think that this is a technique that attempts to evade automated malware analysis technologies, since some of those systems typically avoid downloading the contents of big files, because malware tends to be small in size.

 

 

From analyzing the contents of the Jar file, it was evident that it was generated by the Metasploit toolkit, which, as we mentioned, holds the vulnerability CVE-2012-0507:

 

 

 

The binary associated with the exploit, "svchost.exe" (MD5: 52aa791a524b61b129344f10b4712f52), is automatically installed on the victim's computer if followed by a successful Java exploiting attempt. "svchost.exe" is a variant of Poison Ivy, a remote administration tool (RAT) that can be used, as its name suggests, to control a computer remotely. The tool is robust and mature and may be used for legitimate purposes, but is also widely used for malicious purposes. Once Poison Ivy installs on the system it connects to a Dynamic DNS command and control address at: ids.ns01.us

 



Leave a Comment

(required)  

Email address: (required)