Posts filed under 'Malicious Websites'
May 9th, 2008 by Paul Oliveria (Technical Communications)
Unsuspecting users who may wish to buy (or simply admire) the new Honda Accord are warned that may fall victim to a drive-by download, leading to the installation of an info-stealing malware. TrendLabs discovered today an attack on the official web site of Honda Cars in Thailand.
According to Advanced Threats Researcher Jonell Baltazar, who discovered the compromise, the affected page, hxxp://www.honda.co.th:80/accord, was injected with a malicious script tag (detected by Trend Micro as HTML_IFRAME.QJ), which loads a page within the cleverly named getanewmazda.info domain. This page contains a script that looks for vulnerabilities to download and execute a certain file on the victim’s system. The downloaded file (which is named crypt.exe and saved as c:\winQZfio771.exe) is detected as TSPY_ZBOT.LA.
This compromise was discovered due to a feedback technology on our customers’ products. This mechanism allows our systems to monitor and block potential malicious URLs. In this case, a client visit to the compromised site automatically registered the HTML_IFRAME.QJ detection, thereby protecting the user from further infection. Trend Micro Web Threat Protection has prevented access to the compromised site, protecting customers from possible infection.
Below is a screenshot of the compromised page within the Honda Cars site. Note that the malicious script also affects both the English and Thai landing pages (main.html) after a user accesses any one of them:
The downloaded TSPY_ZBOT.LA, in turn, accesses yet another domain, where possibly more malicious files can be downloaded. As of this writing, our researchers found user names and passwords related stored in this domain, suggesting that it is used either as a phishing page or mere storage in which cyber criminals can easily retrieve stolen information.
This is not the first time a Thai site has been compromised. In the past couple of months, we have reported similar incidents affecting the sites of the Royal Thai Air Force and Udiya Tours of Northern Thailand, among others.
Note that this seems to be an isolated incident so as far as the Honda enterprise is concerned, only Honda Cars Thailand site has been injected with the malicious script. As of this writing, Honda Cars Thailand has promptly taken their site offline in order to address the matter.
Consolidated findings of the Advanced Threats Research, APAC RTL, and Web Threat Protection teams at TrendLabs
May 7th, 2008 by Macky Cruz (Technical Communications)
Our researchers “followed the bouncing Web threat” in this newly discovered spate of hacked legitimate Web sites. Advanced Threats Researcher Paul Ferguson posted about this mass compromise on the blog yesterday, when it was still a “developing issue originating from various locations in China for the past few days that we (security researchers) are still piecing together.”
It appears that several thousand Web sites have been compromised — via SQL injection — with embedded malicious JavaScript that redirects users to two major malicious URLs (winzipices.cn and bbs.jueduizuan), both of which are now gaining quite the reputation as fellow researchers scramble to determine the “end game” in this extraordinarily convoluted attack.
Here is a general diagram illustrating basically what happens on the user side:
The Web site compromises were accomplished in a similar manner as were other recent mass compromises –- through poor .asp and asp.net configuration that allow exploitation via SQL injection.
WINZIPICES.CN
Legitimate, yet compromised, Web sites found to be hosting the (embedded) JS_DLDR.AW redirected visitors to an .ASP script which, in turn, redirects to any one of three URLs.
These redirections happen instantaneously, without the user knowing it. Some of these redirections lead to URLs that randomize an image in the Web page, a definitive routine that is used for advertisements. It also uses cookies to determine the TTL of the image and possibly change the image once the TTL expires.
However, a more dangerous path, of which the user has no way of determining (let alone stopping), ends in the download of JS_DLOADER.AEHM and TROJ_REALPLAY.BR. Both download TROJ_AGENT.AKVP on the infected system. This Trojan drops a copy of itself and downloads a file containing a list of malicious sites.
As one of our researchers closely followed on the heels of the 2.asp path, we have found yet more executables, including an autorun malware detected by our patterns as WORM_AUTORUN.CBZ.
While some of the involved files look harmless by themselves, closer investigation into their relationships with one another reveal a possible attempt at information theft.
For instance, a file named stat.htm includes the browser version, system language, and platform of the infected PC and then attempts to upload these statistics to a remote location. We have also stumbled upon a possible signature or marker in one of the files, a certain (graffiti) “Power by Cnzz.”
BBS.JUEDUIZUAN
This is another malicious URL than can be seen in various compromised sites (~1,510 pages). The redirection path in this case is found below:
JS_AGENT.ALIP is the offending script in this attack. Compromised sites found hosting this script have been modified to contain an iFrame detected as HTML_IFRAME.AAK.
The following malicious files are downloaded on the user’s system upon visiting (and being redirected from) compromised sites:
DAMAGE COUNT
The number of Web sites affected have reached as of 19:50 PDT is at ~9,000, among them several legitimate medical, educational, government, and entertainment sites all over the world.
A survey of the site locations already includes India, UK, Canada, France, and China. This observation suggests that instead of a Webserver compromise or a heavily targeted attack, this attack could have been the work of an automated tool programmed to search through Web sites for vulnerabilities.
Here are screenshots of a couple of the compromised sites:
Our researchers believe this is similar to the attacks earlier this year involving uc8010.com, ucmal.com, rnmb.net, etc., which appear to be related output of a certain Chinese language hacking tool (see image below):
Also, we have been informed that a new version of this tool has very recently appeared, and unfortunately, it is now free for public download (as well while the latest one) and is posted up for availability to anyone who wants to download it.
The resulting package — once all the hacker selected options have been selected — creates the same .html file that has been used to launch various exploits.
In particular (matching the snapshot of the kit), options in this kit reveal interesting translations such as “PPS Overflow” — which translates roughly to PowerPlayer Control exploit; “Thunder 0day” — which translates to XunLei Thunder Player exploit; “Real 0day” — which is most probably pertinent to the RealPlayer exploit, and so on.
Correlating the code snippets and the exploits which are used, this points to being the same gang that perpetuated nihaorr1.com on April 29th and which came live sometime Monday.
There have been similar attacks using older tools but it appears to be that using less files and less redirection has helped lend a hand in the growing number of affected sites. The fact that an updated version was just released last week doesn’t make next week’s forecast clear of this current style of attack either.
Consolidated findings of the Advanced Threats Research Team and Web Threat Protection team at TrendLabs
May 2nd, 2008 by Macky Cruz (Technical Communications)
In what may turn out to be an advanced one-year “toast” to the June 2007 mass infection that came to be known as the Italian Job, TrendLabs discovered 90 compromised Italian Web sites (all verified active as of this writing) at around 12:30 AM GMT. The compromised sites are varied; their only common thematic link seems to be the Italian language.
According to Trend Micro analysts, the attack rolls out like this:
1. The compromised Web sites contain obfuscated JavaScript code (detected as JS_AFIR.A) that redirects the browser to the malicious URL http://{BLOCKED}r.com/cgi-bin/index.cgi?grb&js=1.
The script checks the Internet Explorer version and language so it will only execute on Italian ones.
2. The said URL redirects to another URL: http://{BLOCKED}f.com/cgi-bin/index.cgi?grobin (blocked by Web Reputation Services since April 27).
The two malicious sites were found to be hosted in a single IP traced back to San Diego, California.
3. The said sites download TROJ_SINOWAL.CB (detected since April 26 GMT) from the same domain. TROJ_SINOWAL.CB then drops BKDR_SINOWAL.CF (detected since April 30 GMT), which in turn drops a rootkit component on the affected PC.
This rootkit component modifies certain sectors of the infected hard disk. It also hooks Driver.sys to protect these sectors from read and write operations from AV/security software.
See infection diagram below.
SINOWAL malware variants are known information stealer droppers.
As of this writing, TrendLabs has discovered two forms of this compromise: one is via an injected obfuscated script that redirects to a certain malicious URL, and the other is via a readable iFrame and the same obfuscated script.
It appears that this attack affects sites hosted in Italy by a single hosting provider — the same one that hosted the thousands of sites (mostly travel and leisure) in last year’s large-scale infection. This time, compromised sites include the following:
- The official site of Monica Bellucci (famous Italian model-actress)
- The Mercedes-Benz club of Italy
- The official Web page of Sabrina Salerno (Italian singer)
- A Johnny Depp fan site
- A fan site of Pearl Jam
Here are screenshots of the first three sites mentioned above:
Trend Micro customers are already protected from this threat. Web Threat Protection technology has prevented access to the malicious pages since 27 April 2008. The URLs have already been added to our emergency database and are blocked by WCS (Web Classify Server), making these accessible to customers. Also, the RootkitBuster tool is able to scan the MBR-rootkit component involved in this attack.
Last updated at 5:27 PM GMT, 3 May 2008
April 29th, 2008 by Jake Soriano (Technical Communications)
Senators Hillary Clinton and Barack Obama battle it out on all fronts, literally. The tight contest, where until now no clear frontrunner emerges, isn’t likely to be dictated by just the debates. So we see extra-political battles in different arenas. The Web would seem one likely sphere where the one hopeful nominee who dominates gains a lot.
The most recent Internet-related clash between these two involved redirection: one candidate’s Web site leads users to the site of the other. Users viewing Obama’s site were redirected to Clinton’s through an attack called cross-site scripting (XSS). Researchers were successful in reversing the attack, too, exploiting vulnerabilities and revealing these glitches to the site owners.
Internet-related incidents are not new in the coming U.S. presidential elections. TrendLabs, as early as November last year, reported on spamming activities that were seen as campaign materials for Ron Paul. Clinton herself was featured in a spam run that spewed malware into systems, turning them into bots to further spread spam.
This time, however, the cross-site scripting attacks are seen as benign as no malware were involved. With the increasing hype around spamming and other malicious activities, this might be a move driven by caution. Those who do it may have realized that malicious activities, once exposed, will inevitably taint individuals and their appearances to the media, or to everyone in general.
Researchers are still investigating how this type of attack could be used in more malicious criminal activity.
March 31st, 2008 by Jake Soriano (Technical Communications)
Massive iFrame attacks on top Web sites still threaten online searches. The threat is not just continuing but, according to independent Internet security researcher Dancho Danchev, is getting bigger as well.
Trend Micro has recently reported two high-traffic sites that were iFramed earlier this month. The said attack relied on popular search terms that were not validated in search engines. Interestingly, this previous attack came less than a week after search results of popular Web sites ZDNet Asia and TorrentReactor were also found to have been iFramed.
Danchev says that the current poisoning also leads users to several redirection posts. He again lists what he believes are poisoned sites. These include the following:
- USAToday.com
- ABCNews.com
- News.com
- Target.com
- Packard Bell.com
- Walmart.com
- Rediff.com
- MiamiHerald.com
- Bloomingdales.com
- PatentStorm.us
- WebShots.com
- Sears.com
- Forbes.com
Trend Micro Threat Response engineers analyzed the said pages and found no traces of an ongoing compromise. The sites may have been already fixed by the time of our engineers’ verification. However, the threat in general continues to persist, as it would be very possible to encounter iFrame injections in some future time. Security researchers have yet to close in on a foolproof way to lock down a site from being compromised.
Previous Posts
