On Monday, Government Security News (GSN), reported that their website had been compromised during a mass infection. While in the case of the GSN infection, the injected content was delivered from googlecodehosting.com, we have determined that the same content was also delivered from googlecodehosting.org and googlecodehosting.net, all of which resolve to 89.45.14.87 and are now offline.
In reviewing our logs for sites with the aforementioned referrers, indicating that they too were/are compromised, we have thus far identified 65 different sites (see list below), with the earliest referrers appearing on Thursday June 13 at 6:32:28 2013 GMT. Referers for the GSN site appeared as early as Jun 14th, suggesting that the site was likely compromised for a couple of days before they became aware of the situation and took steps to clean the site.
The attack leveraged the following chain of events:
1. Malvertising – The injected code appears to have occurred in malicious advertisements used by the impacted sites, as opposed to the sites themselves. The malicious advertisements were delivered from openxadvertising.com, which is currently blocked by Google SafeBrowsing.
2. Redirect – The content hosted at the googlecodehosting pages (now offline) has been archived on Pastebin. As can be seen, the actual malware is being pulled from compromised WordPress sites.
3. Infection – A malicious .jar file is delivered. At least two separate Java vulnerabilities have been observed in the attacks (CVE-2013-1493 and CVE-2013-2423), which are used to install the ZeroAccess Trojan.
The following infected domains have been identified in this attack from reviewing referer headers referencing googlecodehosting.com/net/org: http://research.zscaler.com/2013/06/openxadvertisingcom-mass-malvertising.html
For those wishing to implement IDS based signatures to prevent the attacks, the following unique strings have been identified in URL paths seen to be delivering the malicious .jar files: http://research.zscaler.com/2013/06/openxadvertisingcom-mass-malvertising.html