The hype after recent mass compromises has not even died down yet and already another massive attack has been launched. Trend Micro was alerted to the emergence of another mass compromise, dubbed Nine Ball, for the same reason Gumblar was named Gumblar. This time, however, the Nine Ball domain was only one of hundreds of landing pages users could be redirected to.

As reported by Ivan Macalintal, Trend Micro Threat Research Manager, the infection starts when a user accesses a compromised site that automatically redirects him/her to several sites. These sites were actually a trio of malicious domains (specific .KZ and .TW sites) constantly used by attackers in their scheme of redirecting users to a malicious IP address registered somewhere in the Ukraine.

The chain ends when the user’s browser lands on a page that contains exploits for vulnerabilities in various software including Adobe Acrobat and Shockwave. Advanced Threat Researcher Joey Costoya also pointed out that a previously reported PoC in Office OCX Word Viewer is also among the exploits used in this attack.

Compromised websites were injected with blocks of obfuscated script, detected as JS_DLOADR.ALP (see Figure 1):

• hdOruVsHnKBXZuvtsRmw
• eMCeGjolMPJFNuucZWLk
• vIkytowORShQVZqTBFox

The number of blocks can be as many as seven to eight, which can be seen in the snapshot below of a compromised site of a Web hosting provider in Hong Kong. Hosting provider? Yikes!

The user will then be redirected to a series of websites that use referrers to avoid detection and subsequent removal. The infection chain ends when the user is finally redirected to an exploit-laden landing page.

The final pages in the infection chain, Costoya also reported, are part of a Web exploit toolkit called Yes Exploit System, which includes .PDF and .SWF exploits, detected as TROJ_PDFEX.J and TROJ_SWFLDR.AB, respectively.

Both .PDF and .SWF files lead to binary payload that look similar to a new kind of information stealer detected as TSPY_SILENTBAN.U. TSPY_SILENTBAN.U installs itself as a Browser Helper Object (BHO) on the affected system and monitors Internet activity. Gathered information are then sent to a remote user using HTTP POST.

Note that as of this writing, the binary payload retrieved from the attack uses this spyware. It is more likely that in future attacks, other payloads can be used.

Fortunately, Trend Micro Smart Protection Network blocks all malicious sites and detects all related malware. Thus, users need not worry about being infected.

Information on the vulnerabilities exploited in this attack can be found on the following pages:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0927
• http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2007-5659
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2496

Users are also strongly advised to update their software in order to avoid being affected by this attack.

If you're new here, you may want to subscribe to our RSS feed. Thanks for visiting!

Microsoft Corporation regularly issues updates to fix bugs and security vulnerabilities in its software products. These updates are meant to protect its users from different attacks that depend mainly on exploiting these documented bugs.

Close to the weekend, we identified spam (click Figure 1 thumbnail for larger view) claiming to be a Microsoft Outlook and Outlook Express critical update that “offers the highest levels of stability and security.”

A tricky difference here is that all the links in the email (the links to Contact Us, Privacy Statement, Trademarks, and Terms of Use) are legitimate–except one. The URL where the “critical update” may be downloaded looks legitimate, but hovering over the hyperlink (or checking the source code of the mail) reveals a totally different destination.

For content security experts this already bears the marks of an email-based cyber-criminal attack. True enough, the URL leads to the download of a file (detected as TROJ_ZBOT.BTS) that on its execution it accesses a website to download a .bin file with information referring to where the Trojan can download an updated copy of itself, and where to send stolen data. The list also contains compromised websites targeted for stealing information. Our engineers confirm that the list was containing several names of banking institutions, among other social networking targets like Facebook and MySpace, and media sites YouTube and Flickr. The list can be viewed here. Note that the said list may be changed at any time.
How does the scam work? Whenever the user visits any of the monitored sites, the Trojan starts logging keystrokes. It then saves gathered information (which presumably includes sensitive information like user name and password, credit card information, etc.) in a file and then sends the file to a dedicated server via HTTP POST.

Postings to spam as Microsoft updates can be read in the following blog posts:

Bogus ‘MS Update’ Comes with Malicious Attachment

Bogus Microsoft Update Delivers Nasty File Infector

Trend Micro Smart Protection Network blocks the related spam, the malicious URL, and detects TROJ_ZBOT.BTS.