Thanks to ISC readers Yin, Doug, Lorenzo, Ron, Jan and Placebo for contributing their data to the ongoing analysis of Run, Forest! (JS.Runfore) after our earlier SANS ISC diary last week.
Here's what we have so far:
Run, Forest is pretty fickle. They seem to be running an underground web server called Sutra TDS, and are doing a quite decent job at using this web server's features to make analysis hard. Redirection usually happens via two stages of URLs, and only takes place if the correct cookies were set by the prior stage, and the correct referer is provided. It also looks like their web server does geo-location and responds accordingly, and it also black-lists too nosy analysts. If the defenses trigger, the web server responds with This domain has been suspended for policy violations or some wording along those lines ... and admittedly, this actually fooled us the first time (aka Yeeha, someone else already got them). Turns out that no .. it is just one more clever smoke grenade in the bad guys' arsenal.
If you DO get the exploits, it looks like it currently delivers a regular Blackhole Exploit Kit. The most recent exploit that we've seen included in the package so far was for CVE2012-0507, the Java AtomicReferenceArray vulnerability that affects Java 1.6_30 and Java 1.7_2 and earlier. Bad enough, because there are still lots of unpatched Java installations out there. The other exploits in the pack seem to be for older CVE2010-xxxx vulnerabilities, particularly in Adobe Reader. But don't count on it, the way Blackhole is built, it is quite trivial for the attackers to swap out one exploit against another. That they are not using the latest sploits yet .. simply means that the oldies are still netting the bad guys enough new bots.
If the exploits that we saw were successful, the end result was usually a variant of ZBot, with low detection on Virustotal.
If the machine is well patched and none of the exploits in the pack are feasible, it looks like the kit does some sort of geo location, and then presents a reasonably language and design adjusted variant of Fake AV, in the hope that the user will fall for it and click. We so far had reports of this behavior from Switzerland and Germany only - if you have a full trace of such an incident from its starting runforestrun URL all the way through to the Fake AV, we'd appreciate a copy.
If you want to play on your own (be careful!), here's a couple recent Wepawet analysis results
How do web servers get infected with Run Forest's initial attack vector?
How to defend
Don't count on anti-virus. While Symantec was quick to detect and name JS.Runfore one week ago, they are now missing the latest versions, pretty much like every other AV Vendor out there.
Here's AV detection for the Blackhole Redirect Script on Virustotal: 4/41
Here's AV detection for the PDF Exploit on Virustotal: 11/42
Here's AV detection for the final EXE (ZBot): 5/42
In a company or university setting, if you can get away with it, block all traffic to 18.104.22.168, which is the IP that has been used by this scam for their 16-byte initial .ru URLs for the past week now. Obviously, the IP is trivially easy to change for the attackers, but you might get at least some temporary reprieve to allow the AV companies to get their act together, and catch up.
Your best defense, as usual, is to keep all your software fully up to date, and to make sure all your computer users are educated not to click on scams .. especially not on scams that pop up unexpectedly after visiting a completely unrelated web page.
Let me rephrase that: Your best defense is to go off grid completely, and start growing your own potatoes and cabbage in some remote rural corner of Wisconsin or Idaho. But things are not quite that dire yet :).
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.