Remedying Angler infections in Switzerland

Author: Serge Droz

In recent weeks the Angler exploit kit has become the dominating tool for DriveBy attacks. Cleaning Angler compromised web servers is a challenge which has been well mastered in Switzerland, thanks to the close collaboration of Swiss hosters and SWITCH.

The culprit

On Sunday July 5 an the Italian ‘offensive security’ firm HACKING TEAM got hacked and all its files were made public. This included a couple of zero day exploits. Only two days later one of these was already used in the wild by the notorious Angler exploit kit. This is not surprising: Angler today is the most sophisticated exploit kit. Since its inception in 2013 it sported several new innovations which are today uses by others. According to a Sophos blog Angler’s “market share” rose from about 22% last fall to more than 80% this spring.

The payload

Angler used to distribute a variety of different malwares, from ransom-ware to banking trojans. However it seems with the rapid growth of the kit it also focused on distributing mostly Cryptowall 3.0. This malware encrypts all the files on an infected system and demands a hefty ransom of several hundreds of Euros to unlock them. Many people claim to not have “anything important” on their PCs to then discover that all their family pictures of the past ten years are gone. An it’s not looking better for businesses that lose all their data, including their backups on USB disks.

Cleaning Infections in Switzerland

SWITCH has been cleaning up misused domains since several years now through its Safer Internet campaign. We have processed thousands of domains and thus protected visitors of Swiss websites from the evil of exploit kits, such as Angler. Infection rates of Swiss websites have indeed gone down over the past month, or so we believed. On the 22. July 2015 however, the good folks from the National Cyber Security Centre Finland (NCSC-FI) and abuse.ch have managed to make a small dent into Angles infrastructure. A total of over 200’000 compromised URLs worldwide were reported that are misused by Angular.

Angler Distribution — Distribution of web servers, which are misused by the Angler exploit-kit.

Of these 166 where in the .ch and .li top level domain and thus could be entered into our program. We reported these URLs to the respective domain owners as well as the hoster we have contacts to. Checking on the 23. July over 90% of these domains have been cleaned up and a handful have been added. As of the 24. July 2015 only a few sites remain infected.

This means that Swiss hosters are doing an excellent job. Cleaning a web page is not simple. It’s not enough to just remove the the offending code from that page itself. It’s known that the Angler crew installs several back doors, all of which have to be found and removed. These back doors often are webshells, which give full control over the entire web space of the server. The respective php files are obfuscated and not easily recognizable.

The Webshell used by the Angler crew. The white box shows the obfuscated php code. The shell gives full access to all resources the webserver has access to.

Some of the hoster report information back to us for which we are very grateful. This information can then be used to make the analysis better and discover new attack patterns quickly.

Conclusion

The close collaboration and exchange of information between all the stakeholders allows for a very rapid reaction to threats. Cleaning these web pages needs substantial resources by the hosters and also SWITCH. But it’s well invested: Taking down these pages quickly protects visitors from being infected by Cryptowall and saves their valuable data, be this treasured personal files or critical business information.