Onlinegooner.com is a popular Arsenal football (soccer) fansite that has been serving up Arsenal news for over a decade. On February 18^th, ScanSafe OI began blocking malicious activity emanating from the TLD for the site. Upon further investigation, STAT discovered the site had been the victim of a code injection compromise.

Visitors to the site are subjected to exploits which lead to the initial download of malware from 61.19.246.58 (hosted in Thailand). That malware then attempts to download additional malicious files from 202.83.212.250 (hosted in Hong Kong) and 89.107.104.30 (hosted in Moscow, Russia).

Installed malware includes a kernel-mode rootkit, keylogger, backdoor, and a DNS client used for ARP poisoning and DNS spoofing (Man-in-the-Middle attacks). Capabilities of the DNS client include intercepting, interpreting and rerouting of MX (email), NS (specifies authoritative nameservers), A (resolves hostnames to IP address), CNAME (resolves multiple hostnames to a single IP), and PTR (reverse lookups).

Detection among traditional antivirus vendors is extremely low with only 8/31 scanners detecting the initially downloaded malware and 4/31 scanners detecting the maliciously installed DNS client used in the man-in-the-middle attacks. The attack itself is silent thus visitors to the site who have been impacted will unlikely be aware that some pretty severe malware has just been foisted onto their system.

The following files are dropped to the respective locations:

%userprofile%\Local Settings\Tempmbroit.exe (9,860 bytes)
%programfiles%\Common Files\System\DNSclient.dll (9,860 bytes)
%systemroot%\system32\CcEvtSvc.exe (87,861 bytes)
%systemroot%\system32\lich.dat
%homedrive%\lich.exe (34 KB)
%homedrive%\lich.sys (8 KB)

The following services are installed/started:

AsyncMac\Enum
CcEvtSvc
CcEvtSvc\Enum
CcEvtSvc\Security
ZZZdrv_lich
ZZZdrv_lich\Security
ZZZsvc_lich
ZZZsvc_lich\Security

Since the malware employs a rootkit, some of these files and system modifications will be hidden from view. Additionally, once seated on the computer, the malware has complete control over the system and all traffic on the local network, router, or gateway (even in an otherwise non-networked environment. For example, traffic generated from computers sharing the same router would also be impacted even if the systems were not part of a network). Other evidence suggests a local attack on the router might be possible, resetting the attacked router to bypass security restrictions and allow remote web access to the management console. This behavior may occur even if the default router password has been changed.

ScanSafe OI zero-day threat prevention has been protecting customers from this attack from the outset. Investigation is ongoing.