Run, Forest! (Update)

Published: 2012-06-26
Last Updated: 2012-06-26 22:50:07 UTC
by Daniel Wesemann (Version: 2)
4 comment(s)


Thanks to ISC readers Yin, Doug, Lorenzo, Ron, Jan and Placebo for contributing their data to the ongoing analysis of "Run, Forest!" (JS.Runfore) after our earlier SANS ISC diary last week.  

Here's what we have so far:

  • Run, Forest is pretty fickle. They seem to be running an underground web server called "Sutra TDS", and are doing a quite decent job at using this web server's "features" to make analysis hard. Redirection usually happens via two stages of URLs, and only takes place if the correct cookies were set by the prior stage, and the correct referer is provided. It also looks like their web server does geo-location and responds accordingly, and it also black-lists too nosy analysts. If the defenses trigger, the web server responds with "This domain has been suspended for policy violations" or some wording along those lines ... and admittedly, this actually fooled us the first time (aka "Yeeha, someone else already got them"). Turns out that no .. it is just one more clever smoke grenade in the bad guys' arsenal.
  • If you DO get the exploits, it looks like it currently delivers a regular Blackhole Exploit Kit. The most recent exploit that we've seen included in the package so far was for CVE2012-0507, the Java AtomicReferenceArray vulnerability that affects Java 1.6_30 and Java 1.7_2 and earlier. Bad enough, because there are still lots of unpatched Java installations out there. The other exploits in the pack seem to be for older CVE2010-xxxx vulnerabilities, particularly in Adobe Reader. But don't count on it, the way Blackhole is built, it is quite trivial for the attackers to swap out one exploit against another. That they are not using the latest sploits yet .. simply means that the oldies are still netting the bad guys enough new bots.
  • If the exploits that we saw were successful, the end result was usually a variant of ZBot, with low detection on Virustotal.
  • If the machine is well patched and none of the exploits in the pack are feasible, it looks like the kit does some sort of geo location, and then presents a reasonably language and design adjusted variant of Fake AV, in the hope that the user will fall for it and click. We so far had reports of this behavior from Switzerland and Germany only - if you have a full trace of such an incident from its starting "runforestrun" URL all the way through to the Fake AV, we'd appreciate a copy.
  • If you want to play on your own (be careful!), here's a couple recent Wepawet analysis results


How do web servers get infected with Run Forest's initial attack vector?

Good question. All we have so far is that existing JavaScript (.js) files apparently were amended with the obfuscated Blackhole redirect code. Symantec's early analysis suggests that Run Forest comes with a file infector that looks for and changes .JS files.  The sites from where we received infected files didn't have much in common, and also didn't have (sigh!) any useful logs that would have allowed tracking back to the source of infection. If you have additional details, please share!

How to defend

Don't count on anti-virus. While Symantec was quick to detect and name JS.Runfore one week ago, they are now missing the latest versions, pretty much like every other AV Vendor out there.

Here's AV detection for the Blackhole Redirect Script on Virustotal: 4/41
Here's AV detection for the PDF Exploit on Virustotal: 11/42
Here's AV detection for the final EXE (ZBot): 5/42

In a company or university setting, if you can get away with it, block all traffic to, which is the IP that has been used by this scam for their 16-byte initial ".ru" URLs for the past week now. Obviously, the IP is trivially easy to change for the attackers, but you might get at least some temporary reprieve to allow the AV companies to get their act together, and catch up.

Your best defense, as usual, is to keep all your software fully up to date, and to make sure all your computer users are educated not to click on scams .. especially not on scams that pop up unexpectedly after visiting a completely unrelated web page.

Let me rephrase that: Your best defense is to go off grid completely, and start growing your own potatoes and cabbage in some remote rural corner of Wisconsin or Idaho. But things are not quite that dire yet :).



Information submitted to us by readers suggests that the web servers currently spreading "Run Forest" have been broken into via the PLESK SQL injection vulnerability. Some users of Plesk who found "Run Forest" in JavaScript files on their systems report finding in their Plesk logs successful logins to different user accounts, but originating from the same IP address. Chances are that the bad guys used the Plesk SQL Injection Vulnerability a while ago to obtain the usernames and passwords of Plesk users, and now in the past week have been making use of this bounty to log in and drop the "Run Forest" malcode.  If you are using Plesk, by all means follow the recommendation in the advisory (linked above) and reset/change the passwords of ALL your Plesk users. If the bad guys were able to harvest the passwords via SQL Injection, one single unchanged password is sufficient for them to get back into your server.


Keywords: blocklist malware
4 comment(s)


Sigh... PLESK...

Looks like Forest relocated. The 16-char URL's now resolve to
Yep, new ip is (btw the amount of (distinct) compromised websites is scary)
resolving to new ip:

Diary Archives