Several Italian forums compromised with Exploit Kit

Image from: www.net-security.org

In the last few days, Certego threat monitoring systems detected a malware distribution campaign affecting several forums hosted on italian domains.

How it works

The affected forum sites have been previously compromised, possibly exploiting vulnerabilities in software platforms used for forums management, namely vBulletin version 4.1.9 and IP Board version 3.4.6. Users who visit the forum pages are redirected to external sites to download the so called Nuclear Pack Exploit Kit, a software container that provides the ability to leverage several vulnerabilities on user machines in order to infect them and gain complete control. In this particular case, files in .swf format are used to exploit the latest Adobe Flash Player vulnerabilities.

All the forums identified by Certego as being compromised during this campaign have URLs in the following format:

http://[domain]/forums/threads/[id]-[slug]

with domains like:

[random_long_string].[domain]

For example, these are some of the domains used to distribute Nuclear Pack, albeit not all of them are still reachable and active:

72ni9v3j9chko9ak5u4uwhf.nostaljiyemekler [.] com
ey03cunzlam19kc1v9ee9jf.gumuspastabodrum [.] com
ftafyk9wkvu42523ju20iri.devletdestegi [.] com

We also identified some of the IP addresses on which the malicious domains are are hosted, in example:

195.154.166[.]120
213.238.168[.]139
213.238.166[.]227

Some of the IPs as well are no longer reachable and may have been cleaned, but most of them are still active and dangerous.

A few of these IP addresses belong to Virtual Private Servers purchased specifically for the installation of Nuclear Pack Exploit Kit, while others, used only as the first step in the redirection chain, are more likely to be compromised hosts. Gaining the control of these servers in the first place has allowed the creation of sub-domains with random names used for the distribution of malware. As a matter of fact, this way the Exploit Kit is reachable only by knowing beforehand the subdomain used, and is therefore much more protected from accidental discovery.

Countermeasures

This attack exploits vulnerabilities in Flash Player, which therefore must be updated to the latest version If you suspect to be already compromised, you can try to remove the infection using the following free products:

A more radical solution is to uninstall the Flash plug-in browser, or to limit the operation selectively, as explained in this guide, but this must be carefully evaluated because of the impacts it may have on usability and user experience in a production environment.