Nine-Ball attack compromises thousands of sites

by Steve Ragan - Jun 18 2009, 21:20

Websense has been monitoring a massive online attack since June 03, which, to date, has compromised over 40,000 Web sites. The attack redirects users to a site hosting Malware (ninetoraq.in), earning it the name Nine-Ball. However, one expert disagrees with some of the hype the story has earned in the press, centered on AV coverage.

First the facts as presented by Websense: This is a massive injection attack on 40,000 legitimate sites online. That alone is serious, but then you add the goal of the attack and that is worse. The criminals behind the Nine-Ball attack are targeting end users via “a multi-level redirection attack, ending in a series of drive-by exploits that if successful install a Trojan downloader on the user's machine.”

“If a user visits one of the infected sites, they are redirected through a series of different sites owned by the attacker and brought to the final landing page containing the exploit code,” said Websense in its alert.

“The final landing page records the visitor's IP address. When visited for the first time, the user is directed to the exploit payload site. But when visited again from the same IP address, the user is directed to the benign site of ask.com,” it added.

“After redirection, the exploit payload site returns highly obfuscated malicious code. The malicious code attempts to exploit MS06-014 (targeting MDAC) and CVE-2006-5820 (targeting AOL SuperBuddy), as well as employing exploits targeting Acrobat Reader and QuickTime,” the alert concludes.

One of the things covered in detail by the press is that both the PDF file and the MS06-014 exploits lead to malicious files that have very low detection rates, according to VirusTotal.

“There’s been some media interest in an alert from WebSense about something they call Nine Ball,”  said David Harley, ESET's director of malware intelligence. “I’d like to pick up, though, one point that the reports I’ve seen have rather overstated.”

“Websense mentioned that vendor detection is low on a Trojan Loader and a malicious PDF. This is true, or was at one point in time, in the sense that a PDF sample submitted to VirusTotal resulted in a report indicating that only three vendors identified it as malicious,” he continued.

“Well, actually, even that isn’t quite accurate: two of those hits seem to be a generic packer/JavaScript detections rather than identification of the file as malicious in its own right. Similarly, most of the Trojan Downloader detections are generic, and one simply says ‘suspicious’.”

Harley also said that the AV industry is divided on whether detection based purely on packer signature is a good idea: “Some vendors flag almost all packed malware as malicious, packed or suspicious: this is because malware distributors use packers, obfuscators and protectors to make it more difficult for security software to recognize code that would otherwise be identified as known malicious code,” he said.

The problem, Harley explained, is that a fair number of developers use the same tools to protect legitimate applications from disassembly and so on, as a Digital Rights Management (DRM) strategy. “Well, that’s what they tell us,” he said.

So where’s the problem with VirusTotal? Actually, as Harley pointed out, the problem isn’t with VirusTotal but with the way that it’s used.

“VirusTotal is not intended to provide some kind of measure of vendor performance, though it’s often used (or misused) that way. One particularly annoying example is provided by SRI International, who do fine work in other areas, but persist in ranking vendor performance based on VirusTotal reports...

“Slightly less irritating is the habit some security researchers have of measuring the effectiveness of vendor response to a new threat using VT reports, as long as they don’t mislead themselves and others by reading too much into the reports.

“If a number of vendors report something as malicious (or at least suspicious), that’s a good indicator that it’s a problem. But if a vendor doesn’t record a hit on a specific file, that doesn’t mean it can’t detect the Malware…As long as it detects on-access, though, this isn’t automatically a bad thing, and it’s a definite plus if it does so more accurately than a generic detection such as a "suspicious/packer" detection.”

So, what’s the point in his line of thought? “Essentially, that you shouldn’t leap to conclusions about a product’s capabilities based on a VirusTotal report. Of course, you shouldn’t, in any case, rely on anti-malware detection alone. In this case, the malicious code is only part of the problem, since it relies on one of a number of exploits to get a foothold on the system it attacks.”

“Sometimes, good update/patch practice is as important as keeping your anti-malware definitions up-to-date,” Harley added.

[David Harley's comments were sent to The Tech Herald on request. His comments were later posted to his blog.]

Want regular updates from The Tech Herald? Follow us on Twitter.

Interested in a more interactive TTH? Join our Facebook Group.

Around the Web