Information Security from the Trenches

In my previous post, we saw that someone is apparently injecting Monero-harvesting code into what appear to be compromised websites. One method was to inject an invisible frame with a page that contained a script calling https://coin-hive.com/lib/coinhive.min.js, which is the Coinhive javascript Monero miner. Another method, present on the same page (presumably in case the browser used didn't support frames) was to directly call a javascript file from a different site. The contents of this javascript file is an array of numbers, followed by a loop. This code extracts ASCII codes from the string of numbers, revealing obfuscated HTML. The result calls the same Coinhive miner, but also another script that appears to create a bunch of ads. I'll run that on a victim machine and post the output later. In the meantime, both methods used the same Coinhive script with the same unique site ID. This ID is to identify what account gets credited with the site owner's share of

While looking closer at the Showtime embedded cryptocurrency miner mini-scandal, I wondered how many other pages had Coinhive embedded. After a quick Google search, I found several sites that seemed to have the crytocurrency mining code embedded, apparently without the page owners' knowledge, based on the content of the page. The code was embedded within an invisible iframe (a red flag) and the intermediate site that redirected to Coinhive has a history of malware activity. Interestingly, the frame was not always present, forcing a visit to Google's cache: Presumably compromised site: Injected frame: recaptcha-in.pw source code, in its entirety: We see the call to the Coinhive javascript file (coinhive.min.js). A quick search for the script shows expected results for cryptocurrency mining sites, but also a selection of possibly compromised sites: enrollsa.com/locations eduedgepro.com newmarketcomputerservices.com/slide-page/company/ sugar-packed.com arifpu

You know, all the online analysis I've seen of malware samples is very in-depth and quite good, but it's all assuming a level of expertise with application security and reverse engineering that I just don't have. I need something focused on network intrusion analysis, but usually that's just a subset of the RE. So, I've decided to start my own analyses, which I will store here for now. I'll start with an interesting series of events that led my analysts in the SOC (where I am shift supervisor) to write a number of tickets for malware remediation. On 10/16/2014 15:52:35 PDT, our firewall showed some Tor traffic from internal hosts, so I filtered for that and found about a dozen internal hosts that were being flagged for it. The Palo Alto firewall was using its deep packing inspection capability to classify the traffic according to its Applipedia database. The most active host was sending traffic to 81.7.14.246, so I searched for that and found the Malwr sample

Testing out a new way to post to Twitter...via email. Twitter's website will be blocked in Afghanistan from government computers, and I won't have my cell phone.