ITsecurity
twitter facebook rss

Magnitude – an exploit kit par excellence

Posted by on August 11, 2014.

Trustwave has had sight of the inner workings and underlying infrastructure of the Magnitude exploit kit – the coming EK that is rapidly filling the gap left by Blackhole. As Blackhole declines following the arrest of its developer, Paunch, so Magnitude is increasing in popularity. Although not brand new, detailed knowledge has hitherto been sparse: its developer/s have learnt from the mistakes of its predecessors.

Now, however, Trustwave has located eight Magnitude servers: three in the UK, four in the Netherlands and one in Ukraine. (There is probably no significance in the geographic location of the servers – ‘western’ locations are often used because they generate fewer red flags to internet monitors.) This discovery gives the security industry its first detailed view of the new Crown Prince of EK: its working, its infrastructure and its performance. All three are surprisingly businesslike and efficient.

The business model, for example, is new. Traditionally, exploit kits have been sold or hired out for a monetary fee. Magnitude is not. Rather than taking a fee and potentially exposing himself to law enforcement following the money chain and his customer’s mistakes, the Magnitude author simply takes a percentage of the traffic generated by his customers, and exploits them himself. His own malware of choice is primarily the ransomware known as CryptoWall; and it has proved remarkably successful for him.

This model may not sound very profitable for the Magnitude author but in reality it is. For example, over the course of a few weeks the author distributed Cryptowall Defense, a well-known Ransomware to these victim’s computers. This malware encrypts files and forces the user to pay the attacker a decent price, normally around $500 USD, for decrypting them. Users had to pay in Bitcoins to a virtual wallet that was specified in the malware. We found that in a single week BitCoins worth of $60,000 USD were deposited to the cybercriminal’s wallet, making this model more profitable than the traditional rental business. In addition it makes it easier for new customers to start working with him, since they don’t need to pay money up-front in order to use the system and instead just “donate” part of their own traffic.
A Peek Into the Lion’s Den – The Magnitude [aka PopAds] Exploit Kit

The process is complex. His customers are responsible for the campaigns that drive traffic to the exploit kit infrastructure (80% to be potentially exploited for the customer, and 20% for himself). Becoming a customer is not easy – you cannot just go to a hidden location on the internet and sign up. The model is built on trust – you need to be recommended by someone who knows someone who is trusted by Magnitude.

Ziv Mador, director of security research, Trustwave: finder of Magnitude

Ziv Mador, director of security research, Trustwave

But once in, you have use of a remarkably sophisticated and successful kit, without having to pay an up-front fee.

“Their infrastructure is very well coded,” Trustwave’s director of security research, Ziv Mador, told me. “The administration panel they provide to the campaign managers is advanced, providing many useful statistics for the criminal user. They also use many evasion techniques to avoid detection.”

It is also surprisingly effective. “On average it managed to infect 40% of the computers that visited its landing pages,” he continued. “That’s an impressive exploit rate. So that means it provides a very good return on investment.”

These figures are not some projection based on monitoring and tracking internet traffic, but directly from the internal statistics provided by Magnitude. But the ROI for the criminal gets better. Bear in mind that the infrastructure will likely be supporting several different malware campaigns from different criminal gangs at any time. Each gang will have its own malware of choice to deliver to the successfully exploited traffic.

“Once Magnitude manages to infect a machine,” explained Ziv, “Magnitude will frequently infect it with additional malware being used by the other campaigns. Let’s say that there are three gangs that would like to distribute malware using magnitude. Each gang redirects traffic to the landing pages of the exploit kit. Once Magnitude succeeds with an exploit, it will install malware from all three gangs.” This increases the exploit rate for each ‘customer’. Indeed, mathematically it becomes possible for a gang to achieve an exploit rate in excess of 100% of the traffic it redirects to Magnitude.

The Magnitude ‘landing page’ for the campaign traffic redirects is regularly changed. Even this provides a service to Magnitude’s customers with its current detection status provided by check4you, the criminal’s alternative to VirusTotal. This shows what, if any, security services detect and therefore blacklist the URL.

The Magnitude landing page check4you analysis

The Magnitude landing page check4you analysis

I asked Ziv if he knows who is the author behind Magnitude, but he would not be drawn beyond saying, “We believe he is Russian.” I asked if law enforcement is now targeting Magnitude (think Gameover Zeus and Shylock and other targeted actions) but he would not be drawn beyond saying, “We are cooperating with law enforcement.”

There can be little doubt that the emerging market leader in exploit kits will be high on the FBI/NCA hit list. The question is, can they get it? History shows that ‘taking down’ a botnet usually means nothing more than temporarily disrupting it. The most successful recent malware takedown has been of the Blackhole exploit kit – but that included the arrest of its author, Paunch.

Magnitude’s author is more careful.

The author has definitely learned from the mistakes of other exploit kit authors. The Magnitude exploit kit has been operating for more than a year in the shadows with no information on how it works behind the scenes.
Magnitude Exploit Kit Backend Infrastructure Insight – Part I

One of its defensive features is the long list of geographical locations that are blacklisted by the EK. Magnitude simply blocks any traffic sent to its landing page from any of these locations:

A1 A2 O1 SU RU UA BY UZ KZ GE AZ LT MD LV KG TJ AM TM JP JA CN TH VN ID MY TZ PH RO SG TT YE LK PK SA BG UY RS OM IQ KW DO SV TN KE EU NP BD MN SK CR JO LU BB MU NI AP BS MQ NG CY BO AO PY MK GU BH SI NA LB BA BN GD LA BZ PG ZM SY LY SD HT MO PS UG GF RE AF SN LR NC KH GP BW HN AW PF CW VI IS KN AG BM GY DM MT BT MZ EE GL CI MG MV MC GA CD LI GQ ZW CM SR JE DJ CV SZ ME FJ LC KY GH SB VU ET RW MW ER LS EG AE TW ZA

Trustwave believes that there are two reasons for this blacklist: firstly because many of these countries have extradition treaties with Russia (and the author wishes to avoid breaking the law in those countries); and secondly because the others provide a low RoI on malware infections (and the author wishes to increase the ‘take’ on his 20% traffic commission).

Nevertheless, we can expect western law enforcement to be looking for some way to reduce the effectiveness of Magnitude. This will not be easy. Exploit kits are not like botnets – taking down the C&C servers will just make Magnitude move to new landing pages. And it seems that in blocking countries with close ties to Russia, the author is well aware of his legal threats. Provided he breaks no laws in these countries – and if he is Russian, especially Russia – he will not be extradited to the US or any other country that might seek to arrest him.

Taking down Magnitude will involve identifying the author, and then tracking his geographical location in the hope that he can be apprehended and arrested in a country with good relations with the US. From what we see in the code, he is unlikely to be in any hurry to visit those countries.

Leave a Reply

Your email address will not be published. Required fields are marked *

Submitted in: News, News_malware | Tags: , , , ,