The True Face of Urchin

In recent days, we have seen blogs about a specific type of Mass Injection campaign. We take this opportunity to publish our findings in this blog.

This particular campaign has already picked up pace and it is infecting a lot of innocent users out there. It all starts with a script that is injected into certain sites. The script itself points to one particular site: “http://[REMOVED]/urchin.js”. Throughout this blog, we will see the different exploits that this particular campaign uses in order to install malicious files on to a compromised computer.

Upon visiting a site with the injected script, the user is redirected to a malicious site. A subsequent redirection takes the user to a site that contains an obfuscated script. When the script is decoded, it reveals an embedded iFrame tag. Below is an example of the de-obfuscated iFrame tag embedded in the site.

The page then presents a video with a play button, which, when clicked on, will display a fake message advising the user to update their Adobe Flash Player as can be seen in the image below.

Even when “Don’t Install” is clicked, the user is still prompted to install the update.

The “i.html” page also stores a multitude of exploits. As an anti de-obfuscation method, the script employs the “argument.callee” function, which is a function that we have seen employed by many malicious scripts. This can be seen in the highlighted section in the image below.

De-obfuscating this script gives us a manifold of scripts that appear to have an identical pattern to that in the above image. Each of them, when decoded separately, reveal a hidden exploit. Each script also contains a plug-in detection script that helps to identify different plug-ins installed on the compromised computer. At the time of writing, the site was attempting to exploit the following vulnerabilities:

  • CVE-2010-0842 – Java Midi Vulnerability (BID 39077)
  • CVE-2008-2992 – PDF Util.Printf Vulnerability (BID 32091)
  • CVE- 2007-5659 – PDF CollectEmailInfo Vulnerability (BID 27641)
  • CVE- 2009-0927 – PDF GetIcon Vulnerability (BID 34169)
  • CVE-2010-0840 – Java Trusted Methods Chaining Remote Code Execution Vulnerability (BID 39065)
  • CVE-2010-4452 - Java Web Start Vulnerability (BID 46388)

Below is a snapshot of a decoded version of the Java Midi exploit (CVE-2010-0842).

The malicious RMF file that is required to trigger the vulnerability is obfuscated and later passed to the JAR file at runtime as an html array. The malicious JavaScript inside the PDF was also using a similar template for obfuscating the script. De-obfuscating it reveals the exploits included within it. The highlighted section in the following image shows the different exploits.

Regardless of whether the user manually installs the malware from the fake Adobe Flash Player update screen, we can see that the malware will be installed if any of the aforementioned vulnerabilities are successfully exploited. Hence, the chances of the malware being successfully installed on the computer are significantly increased.

Ultimately when any of the vulnerabilities are exploited or the user manually clicks the “Install Now” button as seen in the below image, the FakeAV downloader will be installed.

Below is a snapshot of the FakeAV scanner that prompts the user to run the FakeAV downloader, which actually downloads the FakeAV.

Consequently, it is not only a single method that exists whereby the computer can become compromised, but rather there are several methods. This is another typical scenario that blends the installation of malware through both social engineering attacks and the installation of malware through exploiting various vulnerabilities.

Symantec‘s multi-layered approach protects its users from these types of attacks. However, we do urge users to update both their security software and their various plug-ins in order to thwart these attacks.