Embedded code used in a drive-by attack on the website of EC-Council, the professional organization that maintains the Certified Ethical Hacker program.
Fox IT
For the past four days, including during the hour that this post was being prepared on Thursday morning, a major security certification organization has been spreading TeslaCrypt malware—despite repeated warnings from outside researchers.
EC-Council, the Albuquerque, New Mexico-based professional organization that administers the Certified Ethical Hacker program, started spreading the scourge on Monday. Shortly afterward, researchers from security firm Fox IT notified EC-Council officials that one of their subdomains—which just happens to provide online training for computer security students—had come under the spell of Angler, a toolkit sold online that provides powerful Web drive-by exploits. On Thursday, after receiving no reply and still detecting that the site was infected, Fox IT published this blog post, apparently under the reasonable belief that when attempts to privately inform the company fail, it's reasonable to go public.
Like so many drive-by attack campaigns, the one hitting the EC-Council is designed to be vexingly hard for researchers to replicate. It targets only visitors using Internet Explorer and then only when they come to the site from Google, Bing, or another search engine. Even when these conditions are met, people from certain IP addresses—say those in certain geographic locales—are also spared. The EC-Council pages of those who aren't spared then receive embedded code that redirects the browser to a chain of malicious domains that host the Angler exploits.
The Fox IT blog post continued:
Through this embedding the client is redirected a couple of times to avoid/frustrate/stop manual analysis and some automated systems. Once the user has jumped through all the redirects he/she ends up on the Angler exploit kit landing page from which the browser, flashplayer plugin or silverlight plugin will be exploited. The Angler exploit kit first starts the ‘Bedep’ loader on an exploited victim machine which will download the final payload.
The way the redirect occurs on the EC-COUNCIL website is through PHP code on the webserver which is injecting the redirect into the webpage. A vulnerability in the EC-COUNCIL website is most likely exploited as it runs the very popular WordPress CMS which has been a target through vulnerable plug-ins for years.
Payload details: TeslaCrypt
This specific campaign instance of the Angler exploit kit drops ‘TeslaCrypt’ on the exploited victim’s machine. TeslaCrypt is a piece of ransomware which takes a victim’s files hostage with the use of encryption. Once the victim’s files have been successfully encrypted a ransom note is presented to instruct the victim on ways to recover files:
The EC-Council infection comes eight days after The New York Times, the BBC, and other big-name Web publishers fell victim to a rash of malicious ads that attempted to surreptitiously install crypto ransomware and other malware on the computers of unsuspecting visitors. Last week's campaign was unusual for hitting so many different ad networks all at once. So far, none of the compromised networks—including those run by Google, AppNexis, AOL, and Rubicon—have provided statements explaining how the mass compromise happened or what they've done to ensure that similar attacks won't succeed again.
I notified them about an Angler redirect on their CISO subdomain a little over a month ago. You'd think a company like this would learn to patch their WordPress sites...
Two things missing from these asshats crypto programs
1. Why did we encrypt your files? Because we are assholes holding you for ransom, not it just happened. Come on be honest.
2. No option to say, "Ha ha, fuck you, I have a backup, don't give a shit, go extort someone else."
Um... I'm not sure how familiar you are with the ransomware.
1. They're pretty upfront as to why your files are encrypted. It states not only in the splash page (if enabled) that your files are encrypted so that you will send them money for the key. It was never implied that it 'just happened'. The reason is fairly obvious.
2. I suppose you could imply that by not responding, wiping the machine, and rebuild. However, it is my understanding that these outfits have pretty good tech support. IIRC there was a means though TOR hosted chat forums that allowed you to get in touch with someone. You could unload your keyboard fury there.
That's the really head scratching thing there. I've heard they have great tech support. If you think about it though it makes perfect sense. They are locking down files to extract money from end users. If the general public was of the opinion that in most cases they would never see their files again, even if they paid the ransom, there would be no incentive to trust your files could be decrypted. Therefore the criminal enterprise stands to loose good money if they don't keep up their end of the bargain. I've been told as well that not only do they help you, with job aids and tech support if needed, to convert cash to cryptocurrency. Even after the transaction they will help decrypt individuals decrypt files if they aren't that tech savvy. Good tech support by necessity has to be part of their 'business' model.
I notified them about an Angler redirect on their CISO subdomain a little over a month ago. You'd think a company like this would learn to patch their WordPress sites...
Two things missing from these asshats crypto programs
1. Why did we encrypt your files? Because we are assholes holding you for ransom, not it just happened. Come on be honest.
2. No option to say, "Ha ha, fuck you, I have a backup, don't give a shit, go extort someone else."
Um... I'm not sure how familiar you are with the ransomware.
1. They're pretty upfront as to why your files are encrypted. It states not only in the splash page (if enabled) that your files are encrypted so that you will send them money for the key. It was never implied that it 'just happened'. The reason is fairly obvious.
2. I suppose you could imply that by not responding, wiping the machine, and rebuild. However, it is my understanding that these outfits have pretty good tech support. IIRC there was a means though TOR hosted chat forums that allowed you to get in touch with someone. You could unload your keyboard fury there.
That's the really head scratching thing there. I've heard they have great tech support. If you think about it though it makes perfect sense. They are locking down files to extract money from end users. If the general public was of the opinion that in most cases they would never see their files again, even if they paid the ransom, there would be no incentive to trust your files could be decrypted. Therefore the criminal enterprise stands to loose good money if they don't keep up their end of the bargain. I've been told as well that not only do they help you, with job aids and tech support if needed, to convert cash to cryptocurrency. Even after the transaction they will help decrypt individuals decrypt files if they aren't that tech savvy. Good tech support by necessity has to be part of their 'business' model.
Dan Goodin
Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene.
reader comments
38