The Counter.php strain of malware has been spotted in the past redirecting users to a handful of malicious sites and now appears to be leveraging that ability to send victims to websites serving up the Styx exploit kit.
According to a post on Securelist today, Vincente Diaz, a researcher with Kaspersky Lab, discovered counter.php while looking into some of the more popular Web attacks in Spain during the past three months. One bit of code in particular, Trojan.JS.iframe.aeq, jumped out at him.
At the end of that source code was counter.php, a malicious redirect that uses an iFrame that initially began popping up in Japan and Spain in February and March of this year.
Counter.php in turn led Diaz to stumble upon a site passing out the Styx exploit kit, a pricey $3,000 toolkit that enjoyed its peak of popularity earlier this spring.
Thanks to a relatively new botnet named Fort Disco, researchers found a PHP-redirector earlier this month that also sent victims to sites hosting Styx, suggesting the malicious sites in both situations are one in the same.
According to Diaz the exploit kit runs a script function called PluginDetect to profile the victim and determine which version of Java the user is running. It then exploits one of a handful of – mostly Java – vulnerabilities:
- “jorg.html” CVE-2013-0422
- “jlnp.html” CVE-2013-2423
- “pdfx.html loads “fnts.html” CVE-2011-3402
- “jovf.html” CVE-2013-1493
- and downloads a .pdf file CVE-2010-0188
Diaz goes on to describe how the sites passing out Styx may have gotten infected, suggesting their FTP accounts may have been compromised. After contacting the sites’ corresponding hosting companies though, Diaz was able to glean a little more about the most recent iteration of counter.php.
Looking at the functions and strings, “when users are redirected to counter.php, then there is a second redirection to stat.php,” a filter that helps the kit avoid reinfections and avoid signature detection.
“As stat.php does not check that the parameter IP is the remote address, now we know how to create requests for getting samples from the exploit kit,” Diaz said.
If all this wasn’t enough, it goes on to install a dropper that downloads a fake antivirus or ZeroAccess Trojan to the infected machine, according to the blog post. Further analysis of that malware is forthcoming, but for Diaz’s in-depth account on Counter.php and how he found the Styx kits, head here.