NFL Draft and the Cyber Kill Chain

Tomorrow, the unofficial start of the pro football season kicks off with ESPN’s broadcast of the 2014 NFL Draft. As in the past, hundreds of thousands of people will follow the drama via the Internet. Unfortunately, a vulnerability contained on the website of one NFL franchise may leave that team’s fans blindsided by hackers.

This team’s website includes a Cross Site Scripting (XSS) vulnerability, one that’s used as part of a nearly fool-proof cyber scam.

In these scams, attackers use emails about upcoming events as bait, e.g. “Find out who ‘Team X’ will take #1 in the draft…” These emails contain links directly to the team’s website. Each link is formatted correctly and looks 100% legitimate. Clicking the link executes a browser injection that lets the hacker display a pop-up window on top of the legitimate destination page. Pop-ups can display offers such as discount ticket promotions, new merchandise, etc. All information entered in a pop-up ends up in attackers’ hands.

While significant, the damage in such an attack — to the team’s on-line reputation and the victim’s credit profile — is still manageable. However, as 6Scan Co-founder Nitzan Miron points out, bigger issues are at stake.

“This is not a catastrophic vulnerability in terms of network or database access, but it is a critical link in the cyber kill chain,” Nitzan said. XSS can also be used to phish employees’ credentials, giving attackers direct access to a company’s network. Once inside a network, attackers can leverage advanced threats that are difficult to detect.

“Hacked websites have evolved into the number one attack platform. They are involved in 85% of attacks and have become a critical early link in the cyber kill chain,” Nitzan explained.

XSS scripting – which can only be found by a website or application scan – is one of the top 5 vulnerabilities 6Scan detects. Because such attacks take place at the browser level, website administrators never know they’re happening. This is just one of the threats that drive us to deliver automated scanning and remediation services that any business can deploy regardless of size or security expertise.

Stay Safe.


6Scan Quarantine Technology Defeats Dynamic DNS Watering Hole Attack

At 6Scan we are obsessed with simplifying security. After we figured out how to automatically detect and repair website vulnerabilities we set about doing the same for web-based malware. As 85% of all malicious web-based links are hosted on legitimate sites that have been hacked, solving this challenge would provide an unprecedented level of protection for our community.

We decided that quarantining the code, just as an anti-virus product does with malware on a desktop computer, was the best way to immediately protect the website and customers against malicious re-directs and drive-by downloads. But as we developed this approach we also discovered a powerful benefit: by quarantining the code we could quickly reverse engineer its behavior. This allows us to identify its infection techniques and how it communicates with command and control (C&C) servers. We tested these capabilities during our beta deployment, and were able not only to secure a hacked retail website, but to analyze the activity of its infection.


The customer in this case is a popular online furniture website. They had received sporadic indications of anomalous behavior on their site but were unable to identify any malicious code. They had never been blacklisted by any search engines or browsers, and in fact they had active Google AdWords campaigns running. Despite the continued functioning of their website, they had been infected for the previous 5 months.

After our website scan detected the malware, our agent pinpointed the infection and quarantined the malicious code automatically. This immediate action secured the website and its visitors. Then we analyzed the attack and that’s where it got interesting.

Following Commands

Through log analysis we could see the malware contained a calling script that collects information about each visitor to the website and then sends that information to a C&C server.  The C&C server evaluated the information (user agent, referrer and IP) and directed malware either to launch or not to launch the exploit code. It launched the code only if it was a new visiting IP and the user agent (browser) was Opera or IE 11 or earlier. Browser selection is a common technique to decrease the probability of detection. Considering the site had been infected for 5 months prior to our detection, it turned out to be a highly effective strategy on the part of the hackers.

Hiding in PNG Site

The calling script (the mechanism by which the malicious code on the website communicated with the C&C server) was an encoded PHP function that was embedded in a PNG image on the website. It looked like this:

If the C&C server sent back exploit code it appeared as an obfuscated JavaScriptsnippet that created an iframe to another domain.The novelty in this approach was that the domains were generated dynamically and immediately deactivated after a single use—effectively hiding the hacker’s tracks.  All the domains were available via a free dynamic DNS service.

Here’s a snippet of a decoded PHP code:

So, how was the PHP code extracted from the image data and run?

The following is the malware injection code that ran in the nav menu file. The nav file loaded for every page making this an efficient tactic.

What happens here is that the path to the image file is encoded in the first array (we’ve removed the prefix to keep our client confidential), and then the code is read from the PNG file (which is all chars after the cls::: prefix). The next step is evаl(bаse64_decode which is run to decode the information from the image file, and then the $view, which is where preg_replace is run. As is widely known by PHP coders, running preg_replace with /e flag is effectively equivalent to running the eval() function. The afflicted webserver has been tricked into serving up malicious code to its customers. Because of clever obfuscation the mechanism of the attack is not apparent—at least not until 6Scan quarantined it and analyzed its function.

The Damage Done

Once the obfuscated JavaScript has been loaded onto the site it then probes each visiting browser for vulnerabilities. When a vulnerable application is detected, the C&C server dynamically loads up to 4 exploits which can be used to further compromise the visiting browser as well as the device running it.

Though the obfuscation was rather tough, we managed to decode it to see what exploits are loaded. They included 2 Java exploits, a Flash exploit and an interesting Silverlight exploit All of the exploits give the attacker the ability to execute arbitrary code on the victim’s computer.

6Scan Customers Benefit

Our innovative approach to detecting, quarantining, and analyzing malicious code—all in real time—brings benefits to every 6Scan customer. Our automated service puts this power in the hands of even the smallest business and our threat analysis shows how hackers work and enables us to stay one step ahead of the next attack.