Joining the growing list of Web site compromises is whitehouse.org, the “officious” parody site of current U.S. White House administration, and all the colorful punditry that accompanies it.

According to Trend Micro Advanced Threats Researcher David Sancho, whitehouse.org has been compromised to harbor some malicious, obfuscated JavaScript code which “background downloads” code to unsuspecting visitors of the site, where a malicious file is downloaded (which is detected by Trend Micro as TROJ_DELF.GKP).

Of course, the official White House Web site is whitehouse.gov, and although it has been reported that some people believe whitehouse.org is the real deal, even those looking for this site specifically should be forewarned.

This incident is yet additional proof that Web threats are no joke (pun intended).

Additional information provided by Advanced Threats Researcher Paul Ferguson.

Trend Micro Research Project Manager Ivan Macalintal alerted TrendLabs about another string of Web site compromises, this time related to Web sites of various affiliations and also different countries. Affected sites include that of the Israel Humanitarian Foundation, the London-based Child Rights Information Network, the UK’s West Midlands Local Government Association, and AsiaObserver (a news portal to the continent).

This discovery comes on the tail of the mass compromise of APAC sites (China, Taiwan, Hong Kong, and Singapore). Curious is how some of the malicious URLs in this new set of compromises are the same as in the first mass compromise.

The four sites — humanitarian, government, and news — were injected with the malicious JavaScript hxxp://www.{BLOCKED}igm.com/m.js, which is detected as JS_IFRAME.VA (as seen in the screenshot above). Once any of these four sites are accessed, the script then redirects to two sites:

• http://{BLOCKED}and.cn/bao/p60.htm - detected as JS_REALPLAY.CU
• http://www.{BLOCKED}igm.com/index.htm - detected as HTML_IFRAME.VA

JS_REALPLAY.CU then leads to http://{BLOCKED}and.cn/14.htm, which is detected as VBS_SHELLCOD.EN. This script in turn leads to the following:

• http://{BLOCKED}and.cn/14.htm - JS_SHELLCOD.EL
• http://{BLOCKED}and.cn/real11.htm - JS_VEEMYFULL.AA
• http://{BLOCKED}and.cn/lz.htm - JS_DLOADER.AP
• http://{BLOCKED}and.cn/bfyy.htm - and JS_DLOADER.GXS

All these four then lead to the download and execution of http://{BLOCKED}gol.com/xx.exe, which is detected as BKDR_HUPIGON.CFV.

HTML_IFRAME.VA, meanwhile, leads to the following:

• http://www.{BLOCKED}igm.com/14.htm - detected as JS_SHELLCOD.EL
• http://www.{BLOCKED}igm.com/real.htm - detected as JS_SHELLCOD.EM
• http://www.{BLOCKED}igm.com/04.htm - detected as JS_DLOADER.WBO

These three all lead to the download and execution of http://www.{BLOCKED}igm.com/bak.exe, which is detected as TROJ_AGENT.AAPK.

Trend Micro Advanced Threats Researcher Paul Ferguson has already contacted the responsible orgranizations and relevant CERTs/CSIRTs covering the affected areas. Note that this practice is mostly a matter of courtesy to the owners of the affected sites so that unsuspecting users are protected from infection when visiting these sites. But as always, Web site administrators are ultimately responsible for the browsing security of the users who visit their sites.

Updated by Mayee Corpin (Technical Communications)

Security researchers have created a new rootkit program that is capable of hiding itself inside a computer’s microprocessor, an area of a system that is said to be “unreachable” by antivirus programs.

Researchers Shawn Embleton and Sherri Sparks of Clear Hat Consulting, a security company in Florida, called it a System Management Mode (SMM) rootkit. It may just bring stealth technology beyond the OS and into the physical structure of the computer, making it more impervious to detection than most rootkits already are — and more frightening if found in the hands of the bad guys.

The creation of SMM can be seen as an offshoot of Joanna Rutkowska’s concept of the Blue Pill, a nifty rootkit that was first introduced by Rutkowska in her blog back in June 2006.

Like SMM, the Blue Pill is not dependent on a system’s OS. Sparks said in an interview with PC World that “rootkits are going more and more toward the hardware. The deeper into the system you go, the more power you have and the harder it is to detect you.”

Unlike the Blue Pill that uses the latest virtualization technology, SMM uses an old feature: that which allows hardware vendors to fix found bugs using software alone. This is said to be found in Intel’s 386 processors. Because of this, experts speculate that SMM could be more difficult to detect than the Blue Pill. The biggest notable downside to using SMM, as of this writing, is that programmers are compelled to code and create a complex driver to get the rootkit program to work.

Sparks and Embleton will be presenting A New Breed of Rootkit: The System Management Mode (SMM) Rootkit at the Black Hat conference this August in Las Vegas.

And we did blog about hackable microprocessors in this entry.

Just a week after half a million Web sites were compromised, here comes another mass Web threat — still no breathing easy for security researchers. Consider the fact that an even earlier SQL injection attack preceded the two we’ve just mentioned (a mere two days before the last attack, and one which also targeted Chinese users) and we have a series of mass compromises in a span of just two weeks.

This time, we picked up on another script injection attack aimed at Web sites in the Chinese language. Here’s an illustrated summary of this mass compromise:

A visit to any compromised site would install and execute a malicious script on a system. This said script, which Trend Micro detects as JS_IFRAME.AC, may be downloaded from the remote site http://{BLOCKED}.us/s.js.

Here is a screenshot of the injected script in one of the compromised sites:

JS_IFRAME.AC then downloads JS_IFRAME.AD, which exploits several vulnerabilities to further insert scripts in Web sites. TrendLabs Threats Analyst Jonathan San Jose identifies the following exploit routines of JS_IFRAME.AD:

1. Exploits a vulnerability in Microsoft Data Access Components (MDAC) MS06-14, which allows for remote code execution on an affected system
2. Uses the import function IERPCtl.IERPCtl.1 or IERPPLUG.DLL to send the shell code to an installed RealPlayer
3. Checks for GLAVATAR.GLAvatarCtrl.1
4. Exploits a BaoFeng2 Storm and MPS.StormPlayer.1 ActiveX control buffer overflow
5. Takes advantage of an ActiveX control buffer overflow in Xunlei Thunder DapPlayer

Notice that the last two exploits are related to Chinese-language software, suggesting to our researchers that this malicious activity was targeted specifically to China, Taiwan, Singapore, and Hong Kong.

These vulnerabilities trigger JS_IFRAME.AD to redirect users to one of the following URLs:

• http://{BLOCKED}and.cn/real11.htm - detected as JS_REALPLAY.AT
• http://{BLOCKED}and.cn/real.htm - detected as JS_REALPLAY.CE
• http://{BLOCKED}and.cn/lz.htm - detected as JS_DLOADER.AP
• http://{BLOCKED}and.cn/bfyy.htm - detected as JS_DLOADER.GXS
• http://{BLOCKED}and.cn/14.htm - detected as JS_DLOADER.UOW

JS_IFRAME.AD was found to download the following:

• VBS_PSYME.CSZ
• JS_VEEMYFULL.AA
• JS_LIANZONG.E
• JS_SENGLOT.D

These four malware, in turn, download and execute http://{BLOCKED}c.52gol.com/xx.exe, which is detected as TROJ_DLOADER.KQK.

As of this writing, Google search results show some 327,000 pages that contain the malicious script tag.

Trend Micro Web Threat Protection (WTP) has already blocked access to the said malicious URLs. Users are advised to be cautious when browsing Web sites. Critical software patches, once available from vendors, should be installed to ensure software security.

Our researchers are still investigating other details regarding this case. More information to be posted as soon as they become available. Trend Micro is also now trying to reach Taiwan CERT to inform them of this mass compromise.

Consolidated findings of the Research (Taiwan), Escalation, and Threat Response teams at TrendLabs.

Updated by Mayee Corpin and Jovi Umawing (Technical Communications)