Yesterday (Wednesday, January 15), Cracked Magazine's website served malicious software to visitors via exploits that target a user's web browser and plugins. In this case, malicious content originated directly from the Cracked.com website, and it is unlikely that the user would have noticed anything unusual while their system was attacked. For reference, a screenshot of Barracuda Labs' malicious URL detection environment after successful compromise occurred is as follows.
Cracked.com: Business as usual?
The chain of redirects began at the index of Cracked.com and concluded with delivery of exploit content and the installation of malware onto the visitor's computer. These details are as follows.
hxxp://www[.]cracked[.]com
-> hxxp://klamb[.]in/<redacted> (x2)
–> hxxp://lanim[.]nambon[.]in(:21093)/<redacted>
—> hxxp://palak[.]nambon[.]in(:21093)/<redacted>
In the above chain, content from the malicious domain (registered January 15, the same day as the start of the incident) originates via Cracked's index page. No ad networks were involved, which means that some kind of direct website compromise occurred. A HTTP request to the klamb[.]in domain redirected to lanim[.]nambon[.]in,which responded with malicious content targeting both the web browser and the Java web plugin used by Barracuda Lab's detection environment.
An exploit for CVE-2013-2551 (which targets vulnerable, 32-bit versions of Internet Explorer 6 through 10) successfully compromised the detection system's web browser. Per VirusTotal scan results, the malicious software installed after successful exploitation is poorly detected (neither Symantec, McAfee, nor Trend's AV offerings detect the file as malicious).
Barracuda Labs recommends that users refrain from visiting Cracked.com until the site's operations group investigates the incident and certifies the site as safe. In addition, as has been repeatedly advised, users should keep their software updated to prevent exploitation of known vulnerabilities and avoid software with a poor security track record.
An archive containing a packet capture (PCAP) file showing (via some analysis) the exact sequence of events that led to system compromise can be downloaded here.
Christine Barry ist Senior Chief Blogger und Social Media Manager bei Barracuda. In dieser Rolle hilft sie, Barracuda-Geschichten zum Leben zu erwecken und die Kommunikation zwischen der Öffentlichkeit und den internen Barracuda-Teams zu erleichtern. Bevor sie zu Barracuda kam, war Christine über 15 Jahre lang als Außendiensttechnikerin und Projektmanagerin für K12- und KMU-Kunden tätig. Sie hat mehrere Abschlüsse in Technologie, einen Bachelor of Arts und einen Master of Business Administration. Sie ist Absolventin der University of Michigan.
Vernetzen Sie sich hier auf LinkedIn mit Christine.
