Jiri Sejtko Avast Software
Miloslav Korenko Avast Software
download slides (PDF)
Gumblar was one of the biggest website infections ever uncovered. In a very short time it infected thousands of domains all over the world and built a huge platform for its successor, named Kroxxu - a self-producing network using more than 76,000 hacked domains. The Kroxxu malware came to our attention mainly due to the way it spreads, which is fully dependent on compromised websites. Both the redirection and distribution parts of the Kroxxu malware are hosted on hacked domains. This is the main feature that differentiates it from other infection vectors where compromised domains are only used to redirect victims to the malware distribution servers. We refer to this method as indirect-cross-infection.
The perpetuation of Kroxxu is fully dependent on stolen web space and passwords. Stolen FTP crendentials are then used to grow the network and to build an army of zombie domains that can then be sold to other parties. Every domain affected by the Kroxxu network contains PHP backdoor functionality allowing easy command and control.
In this paper, we will describe the current state of the Kroxxu network, its functionality and features starting with the exploits being used to infiltrate victims' computers, going through password stealers and finally ending with the PHP server side - we focus on the way servers are operated and protected. We will also draw the consequences of indirect-cross-infections for URL blocking engines. The report will include a summary of statistical data obtained from our community IQ. Through this data we are able to accurately monitor malware distribution over the Internet.