The Chinese CK Exploit Kit was initially deployed in April 2012. Exploit code generated from the CK Kit was identified by file, variable and function names based on the strings CK and CKWM. The name of the site is probably an abbreviation of CK Wǎng mǎ (CK网马) which translates to CK Network Trojan. The web site CKWM.NET is affiliated with the CK Exploit Kit. The CK Kit is a decedent of the Net Boom NB Exploiter Kit produced from late 2010 through late 2011. The registrant of CKWM.NET is the same as the registrant of a site 1874.CC that distributed the Net Boom Kits. The CKWM.NET site is built on a popular Chinese forum software kit and incorporates a publically available plug-in that allows administrators to sell VIP memberships with special privileges to forum users. CKWM.NET includes a page that lists the site’s VIP members. The VIP member user names match cookies left by the CK Exploit Kit. I believe that each VIP user listed in CKWM.NET pages represents a botnet, and I suspect that the entire site provides a covert means to rent botnets originally harvested by the CK Exploit Kit.
Since 2007, major Chinese Exploit Kits have shared the following two attributes – explicit use of the product name in the exploit code and use of sales and support web sites to overtly market the kits. In 2007 through 2010, exploits from the Anhey Kit included numerous references to AHWM and CUTEQQ. AHWM was an abbreviation for Anhey Wang Ma (Network Trojan) and CUTEQQ was a reference to The Anhey marketing site, CuteQQ.cn. In 2010 through 2011, code from the Silver Fox Exploit Kit included references to SVFOXWM, SFWM and SVFOX.NET. SVFOXWM and SFWM were abbreviations for Silver Fox Wang Ma and SVFOX.NET was the domain name for the site that marketed and supported the Silver Fox Exploit Kit. In 2011 through 2012, code from the Net Boom NB Exploiter Kit included references to NBWM and 1874.cc. NBWM was an abbreviation for Net Boom Wang Ma and 1874.cc was the web site used to market and service the Net Boom Kit. Currently, the CK Exploit Kit code uses references to CKWM and is linked to the CKWM.NET site.
My 14 April 2013 post titled “The CK Exploit Kit – Net Boom’s Metamorphosis” argued that the CK Exploit Kit replaced the Net Boom Exploit Kit in early 2012. The analysis identified several consistencies in the exploit code used by the two kits, but did not discuss links between the web sites supporting the two kits addressed in this post. Specifically, the two kits share the exact same domain registration information as shown below.
The creation date for the two web sites corresponds with the first release of Net Boom in November 2010, the first appearance of CK in April 2012, and the subsequent migration from Net Boom to CK in April 2012. The 1874.CC site has the appearance of a legitimate software vendor but made no attempt to hide the malicious purpose of its products. The password protected CKWM.NET site, however, made no explicit references to exploit kit sales or service. A screen shot of 1874.CC is presented below.
Unlike 1874.CC, the CKWM.NET shown below has the appearance of a generic internet forum site.
CKWM.NET is powered by version 8.5 of PHPWind, a popular forum application in China. The background image featuring clouds, grass and flower petals blowing in the wind may be a default background image for the PHPWind application. The CK EXPLOIT logo in the upper left corner of the page, conversely, is from a separate image file that is unique to the CKWM.NET site. The unique logo from the site is shown below.
The use of the word “exploit” is consistent with the hypothesis that the site is distributing malware. The green shield featured in the image has the appearance of icons used by many anti-virus and network security vendors. Most vendors, however, combine a check mark with the green shield icon and use a yellow or red shield with an explanation point. The green shield with the check mark indicates that a file or internet resource is safe while the yellow or red shield with an explanation point indicates that a file or internet resource may be harmful. So, what would a green shield with an explanation point indicate? Perhaps it signifies a file or resource that is harmful but not detected by anti-virus products.
The site included a VIP membership page that provides much more evidence of malicious activity. The VIP page is created using the publically available PHPWind VIP Member Center (VIP会员) plug-in. The screen shot below shows a VIP member page from CKWM.NET.
The VIP Member Center plug-in allows the site administrator to collect fees in exchange for special privileges to paying forum users. Some of the paying VIP members listed on the CKWM.NET page include ADMIN, JURANALEN, JTAHEATEH, XIAOYU, KYDOWN, SAYRYWN, 306953568, DADAYE, XIAOHUA and XNJ. Who are these people? An intuitive hypothesis is that these user names represent a community of users sharing a common interest such as online gaming or computer security. An alternative hypothesis is that the VIP member names do not represent actual people at all; but rather, are names given to botnets harvested using CK Exploit Kit attack code. Evidence supporting this hypothesis is explored below.
One feature of the CK Exploit Kits was the inclusion of variations of the comment string /*CK VIP*/ in the code’s function calls to an open source Java Script packer. This code is described in my 22 May 2013 post. I believe these comments are references to the CK VIP Member page found on CKWM.NET. The index page for the CK web exploits use distinctive cookies created from the concatenation of the string CK and the VIP user names listed on the CKWM.NET VIP Member page. For example, the VIP member user name JURANALEN is present in the cookie string CKJURANALEN. The following five images show examples of the relationship between the VIP usernames and the cookies used in CK exploit code for CKADMIN,CKJURANALEN, CKJTAHEATEH, KYDOWN and CKXIAOHUA.
The site includes another VIP page that is password protected. It is likely that the page used in this analysis is out of date. The latest VIP member starting date on the page was 17 July 2012. More recent CK VIP cookies were probably added after July 2012. The CK exploit kit cookie CKTTCYWAXX, for example, was first seen in October 2012 and continued to be used until at least April 2013.
The CK Exploit Kit is associated with the CKWM.NET site that is probably used for sales and service. The CKWM.NET domain name registration information is exactly the same as the registration information for a known Chinese malware site named 1874.CC. Previous posts explained that the 1874.CC site is associated with the Net Boom Exploit Kit, and the Net Boom Exploit Kit evolved into the CK Exploit Kit.
Unlike earlier Chinese malware sales and service sites, the relationship between CKWM.NET and the CK Exploit Kit is not immediately obvious. The CKWM.NET site name and logo provide some speculative evidence about the relationship between the site and the malware exploit kit. A page listing CKWM.NET VIP members provides solid evidence linking the site to CK Exploit code.
Despite the analysis presented in this post, it is still unclear exactly how the site is used to sell malware code or services to cyber criminals. Unlike earlier Chinese exploit kit vendor sites I have seen, CKWM.NET does not seem to be advertising an exploit code generator. Perhaps the CKWM site provides botnets for rent. These botnets are identified by the cookies used by the initial exploit vectors provided by the CK Exploit code. The VIP Member Center plug-in used by the CKWM.NET site provides a means for facilitating financial transactions between the bot herders and cyber criminals.
The CK Exploit Kit – Net Boom’s Metamorphosis (CK Exploit Kit and NB Exploit Kit)
CK Exploit Kit in Early 2013 (CK Exploit Kit)
Anhey Menagerie (AHWM and CUTEQQ.CN)
Silver Fox Gallery (SVFOXWM and SVFOX.NET)
Net Boom Kits and Signatures (NBWM and 1874.CC)
The Last Net Boom Exploit Packs (NBWM and 1874.CC)
http://w3patrol.com/d/1874.cc (1874.cc domain registration)
http://w3patrol.com/d/ckwm.net (ckwm.net domain registration)
http://www.phpwing.net (PHPWind Site)
http://www.phpwind.net/read/1349115 (VIP Member Center Plug-in)
http://www.jsunpack.jeek.org/ (repository for code featuring CK VIP cookies)