We have talked about SourceForge before on this blog, in particular when they were associated with bundled software.

This time around, we are going to take a look at an infected sub-domain hosted on SourceForge responsible for a drive-by download attack.

Redirection overview

Fiddler_trace

The first redirection is located within a JavaScript file:

hxxp://ydoqux.sourceforge.net/isoochamernd.js
redir_to_statcount

This calls to stat-count.dnsdynamic.com a domain previously identified as a source of malicious activity. This one is no different:

redir

You may recognize the URL landing for the Flash Pack Exploit Kit. There is an interesting series of redirections and here's the flow:

hxxp://yi4dtvjlvfvos6ffvnxxklf.alobakkal.net/index.php?w=anM9MSZuc29sbHZpej1qdmRhY2FoJnRpbWU9MTQwODI1MDE1NDI5NzcyNDgyNiZzcmM9MjIwJnN1cmw9YW50aWRvci5uZXQmc3BvcnQ9ODAma2V5PTgxQkZCQUJFJnN1cmk9L2FkL3NvdXJjZWZvcmdlL2FkXzA5Ny8xNTkyMDE0NjYv
hxxp://yi4dtvjlvfvos6ffvnxxklf622053f032259300cb84bd8aa84eae65a.alobakkal.net/index2.php
hxxp://yi4dtvjlvfvos6ffvnxxklf.alobakkal.net/coder/index.php
hxxp://yi4dtvjlvfvos6ffvnxxklf.alobakkal.net/coder/js/swfobject.js
hxxp://yi4dtvjlvfvos6ffvnxxklf.alobakkal.net/coder/client_do.swf
The last URL is a Flash file, VT detection here.

bytearray

Another redirection caught our attention:

hxxp://5.45.74.48/coder/gate.php?id=0oPDPAPoP6PDPAPoodjd6SPDPdojProdPrPPo6j0djdi0dPkPAodj0djdi0dP0ojPDPPjdd6ddjd0oPDPAP6Prooodji0L0ijd0o6D6Ajidkdkjtd0jtd0didjjtdkd6dPjddkdid0d0jddod6djjdP0PA
Flash

A Flash file with a peculiar name for its classes:

Flash_view

Payload

hxxp://pikistude.mol-hit.com/coder/loadfla0515.php
The payload (VT results) is detected by Malwarebytes Anti-Malware as Trojan.Agent.ED.

The video below shows the exploit happening and getting blocked by our Malwarebytes Anti-Exploit:

[youtube=http://youtu.be/PtnPKDMj4qE&rel=1]

We have spotted similar redirections to the Flash Pack exploit kit in other popular sites as well. Whether is it part of a larger campaign is hard to say but it is particularly active at the moment.

Drive-by download attacks are the number one vector for malware infections. Legitimate websites often fall victim to malicious injections stealing incoming traffic and sending it to booby-trapped pages. Within seconds, an unpatched computer could get infected with a nasty piece of malware.

On top of keeping your computer up-to-date and running the latest versions of antivirus and anti-malware software, adding an additional layer of protection against exploits greatly reduces the attack surface the bad guys are banking on.

@jeromesegura