I'm working on generating our Q2 2010 Stats and Trends report, and I noticed a large number of blocked exploit kit activity from domains registered with the .IN TLD. These were not hacked sites but domains registered for the explicit purpose of supporting a criminal enterprise. This activity is on-going. As the post will show, the campaign involves leveraging exploit kits to exploit known vulnerabilities on client applications and installing various payloads including installing various wares to monetize pay-per-installs.
A large number of the the malicious domains have been hosted on:
18.104.22.168 - 22.214.171.124
These IPs belong to the 126.96.36.199/24 owned by ATECH-SAGADE:
Which other ATECH-SAGADE netblocks have been described as "evil" in blog posts from earlier this month:
"Evil network: Sagade Ltd / ATECH-SAGADE" -- Dynamoo
"Basically, 188.8.131.52 – 184.108.40.206 is completely evil and has no legitimate use as far as I can see." -- ComputerSecurityArticles
"Exploits, Malware, and Scareware Courtesy of AS6851, BKCNET, Sagade Ltd." -- ComputerSecurityArticles
There have also been a number of recent malicious sites related to this .IN campaign seen on the 220.127.116.11/24 ATECH-SAGADE netblock as well, for example:
which currently resolve to 18.104.22.168, .15, and .16.
Here is a snippet of what we've seen and blocked related to this ongoing .IN campaign:
Other open-source research show several of these sites still live on this /24, for example:
Here is an example of the WHOIS for one of the malicious .IN domains:
Russian based information and self-resolving domain. The name servers currently resolve to 22.214.171.124 and 126.96.36.199 respectively on the same ATECH-SAGADE netblock.
Here is a small snippet from the exploit kit hosted on the .IN domains:
I believe this is from the SUTRA exploit pack. In any case, here is an example of an earlier Wepawet report from analyzing one of these .IN sites:
The exploits detected from the report are CVE-2009-0927 and CVE-2007-5659
And the ActiveX controls:
While many of the payloads include Trojan Downloaders and FakeAV, there have been some other wares installed via this campaign. VirusTotal has shown that some of the payloads dropped by the kit are undetectable via anti-virus:
The sigcheck on the artifact shows it as System Explorer by the Mister Group:
Secunia has a brief advisory posted on the Mister Group and their System Explorer here.
The Mister Group has a few pages setup for their System Explorer:
From the above, it seems that this campaign is largely driven by pay-per-install profit.