May 7th, 2008 by Macky Cruz (Technical Communications)
Our researchers “followed the bouncing Web threat” in this newly discovered spate of hacked legitimate Web sites. Advanced Threats Researcher Paul Ferguson posted about this mass compromise on the blog yesterday, when it was still a “developing issue originating from various locations in China for the past few days that we (security researchers) are still piecing together.”
It appears that several thousand Web sites have been compromised — via SQL injection — with embedded malicious JavaScript that redirects users to two major malicious URLs (winzipices.cn and bbs.jueduizuan), both of which are now gaining quite the reputation as fellow researchers scramble to determine the “end game” in this extraordinarily convoluted attack.
Here is a general diagram illustrating basically what happens on the user side:
The Web site compromises were accomplished in a similar manner as were other recent mass compromises –- through poor .asp and asp.net configuration that allow exploitation via SQL injection.
WINZIPICES.CN
Legitimate, yet compromised, Web sites found to be hosting the (embedded) JS_DLDR.AW redirected visitors to an .ASP script which, in turn, redirects to any one of three URLs.
These redirections happen instantaneously, without the user knowing it. Some of these redirections lead to URLs that randomize an image in the Web page, a definitive routine that is used for advertisements. It also uses cookies to determine the TTL of the image and possibly change the image once the TTL expires.
However, a more dangerous path, of which the user has no way of determining (let alone stopping), ends in the download of JS_DLOADER.AEHM and TROJ_REALPLAY.BR. Both download TROJ_AGENT.AKVP on the infected system. This Trojan drops a copy of itself and downloads a file containing a list of malicious sites.
As one of our researchers closely followed on the heels of the 2.asp path, we have found yet more executables, including an autorun malware detected by our patterns as WORM_AUTORUN.CBZ.
While some of the involved files look harmless by themselves, closer investigation into their relationships with one another reveal a possible attempt at information theft.
For instance, a file named stat.htm includes the browser version, system language, and platform of the infected PC and then attempts to upload these statistics to a remote location. We have also stumbled upon a possible signature or marker in one of the files, a certain (graffiti) “Power by Cnzz.”
BBS.JUEDUIZUAN
This is another malicious URL than can be seen in various compromised sites (~1,510 pages). The redirection path in this case is found below:
JS_AGENT.ALIP is the offending script in this attack. Compromised sites found hosting this script have been modified to contain an iFrame detected as HTML_IFRAME.AAK.
The following malicious files are downloaded on the user’s system upon visiting (and being redirected from) compromised sites:
DAMAGE COUNT
The number of Web sites affected have reached as of 19:50 PDT is at ~9,000, among them several legitimate medical, educational, government, and entertainment sites all over the world.
A survey of the site locations already includes India, UK, Canada, France, and China. This observation suggests that instead of a Webserver compromise or a heavily targeted attack, this attack could have been the work of an automated tool programmed to search through Web sites for vulnerabilities.
Here are screenshots of a couple of the compromised sites:
Our researchers believe this is similar to the attacks earlier this year involving uc8010.com, ucmal.com, rnmb.net, etc., which appear to be related output of a certain Chinese language hacking tool (see image below):
Also, we have been informed that a new version of this tool has very recently appeared, and unfortunately, it is now free for public download (as well while the latest one) and is posted up for availability to anyone who wants to download it.
The resulting package — once all the hacker selected options have been selected — creates the same .html file that has been used to launch various exploits.
In particular (matching the snapshot of the kit), options in this kit reveal interesting translations such as “PPS Overflow” — which translates roughly to PowerPlayer Control exploit; “Thunder 0day” — which translates to XunLei Thunder Player exploit; “Real 0day” — which is most probably pertinent to the RealPlayer exploit, and so on.
Correlating the code snippets and the exploits which are used, this points to being the same gang that perpetuated nihaorr1.com on April 29th and which came live sometime Monday.
There have been similar attacks using older tools but it appears to be that using less files and less redirection has helped lend a hand in the growing number of affected sites. The fact that an updated version was just released last week doesn’t make next week’s forecast clear of this current style of attack either.
Consolidated findings of the Advanced Threats Research Team and Web Threat Protection team at TrendLabs
May 7th, 2008 by Paul Oliveria (Technical Communications)
Iron Man just made almost a hundred million dollars during its opening weekend in the US. Yes, summer movie season has just kicked in. You know, that time of the year (even if one’s not in the said country) when all the big blockbuster flicks are jockeying for the “box office hit” title. Almost every week there a new highly anticipated film or sequel (or the now-overused term “threequel”) opens in theaters, much to the delight of moviegoers and, in some cases, cyber criminals as well.
The use of movies as a social engineering bait by hackers is not new; in fact, it has sort of become a tradition that one has to expect every year. So while reading Entertainment Weekly’s “fearless” predictions for the season, we decided to come up with predictions of our own. Only this time we’re calling them “fearful” predictions, mainly because these are the types of predictions we hope would not come true.
1. Spammers and phishers will lure potential victims with raffle entries for tickets or merchandise. In 2005, Revenge of the Sith became the bait of choice of a Yahoo! phishing attack. Last year, spammers sent a supposedly short survey related to The Simpsons Movie in an attempt to gather email addresses. It will not be surprising if a similar tactic pops up this year, just in time when the anticipation for movies like Sex and the City or the X-Files sequel reaches fever pitch. After all, in the gaming arena, it has already happened with the release of Grand Theft Auto IV.
2. At least one malware will pose as an “exclusive” trailer, free movie passes for the premiere, or the “uncut version” of a movie. Unfortunately one has to download the “codec” or the “raffle entry form” first.
3. The official site of one movie will get compromised. Or a high-traffic fan site or blog, for that matter. Users who would want more information about a particular flick (show times, reviews, etc.) will click on the compromised page, where a slew of malware will be downloaded onto the unknowing victim’s computer.
Then again, with the ongoing trend of SEO poisoning and creating fake pages from scratch (which are laden with spammy links and keywords), users only need to Google a keyword in order to get infected. Speaking of SEO poisoning…
4. “Heath Ledger” will be once again a good keyword for poisoned pages. As the buzz surrounding the actor’s portrayal of The Joker in the upcoming The Dark Knight grows louder — some already claim it’s his finest role yet worthy of a posthumous Oscar — whose interest won’t be piqued?
May 7th, 2008 by Paul Ferguson (Advanced Threats Researcher)
It would appear that we have a developing issue originating from various locations in China for the past few days that we (security researchers) are still piecing together.
Over at the SANS Internet Storm Center, John Bambenek has posted (and also provided at least one update at this hour) a daily handler’s diary entry explaining that that they have had reports of a possible SQL worm, involving some domains, JavaScript, and URLs that first popped up on our threat radar on Monday (5 May 2008) morning.
Trend Micro has already proactively blocked access to these malicious domains and URLs (and the associated malicious “back-channel” background activity) while we push out a pattern update for malicious file and JavaScript detection.
Having said that, that’s the beautiful thing about hybrid Web Threat Protection (WTP) — we shrink the “time-to-exploit” window immediately by breaking the infection chain.
For now, please be assured that we are burning the midnight oil working on these issues, and will update this blog post as more details become clear. For now, please refer to the SANS ISC Daily Handler’s Diary for details, and we’ll post more as this developing incident unfolds.
One further note: While the numbers are only in the ~4,000 to ~5,000 range (still not small!), there are some very high-profile Web sites that seem to have been compromised in this attack.
PLEASE DO NOT GO SEARCHING FOR WEB SITE COMPROMISES. In this particular case, if you are not adequately prepared and protected, you can become a victim of your own curiosity.
“Fergie”, a.k.a. Paul Ferguson
Internet Security Intelligence
Advanced Threats Research
Image source: Fugato.net
May 6th, 2008 by Jake Soriano (Technical Communications)
We were alerted to a spam run that banked on the craze surrounding the highly anticipated worldwide release (except in Japan) of Grand Theft Auto IV (GTA IV) on 29 April 2008.
Below is a screenshot of the sample spammed email message:
It appears to be offering a free PlayStation 3 along with a copy of GTA IV. And the ironic (or appropriate?) come-on: “Enter the Criminal Underworld.” Clicking on the link leads the user to the following site:
Given the immense popularity of this online game, its reception by the online gaming community is no longer just hype. The days before the release provided great opportunities for spammers to trick online users into clicking the links in the spammed email messages. Users who did so were asked to provide their email addresses — instead of the supposed free version of GTA IV, affected users received more spam. This is a common technique used by spammers to check whether the email accounts they have gathered are indeed active. Users who click on links are therefore unwittingly signaling spammers that their email addresses are indeed working accounts.
Fans — in the millions no doubt — proved to be most vulnerable to this spamming operation. And who says “no” to the doubly irresistible promise of being able to play the game before everyone else — and for free, too!
Interestingly, last year’s release of another famous online game, Halo 3, was relatively quiet when it came to online security issues. Both of these games were heavily promoted and marketed, which doesn’t explain why we see the spamming just now. Maybe last year’s media-documented campaign by a Florida lawyer against the game creators makes the game controversial enough to warrant spammers’ time and attention.
As usual, users are advised to refrain from clicking on links regardless of how attractive the offers are.
Thanks to Trina Baetiong of Content Security for details regarding this spam run.
May 6th, 2008 by Jasper Pimentel (Advanced Threats Researcher)
Last month started with an April Fool’s message being spammed around. The spammed email contained a link from where a variant of the Storm malware could be downloaded. Aside from that, we’ve had our usual fill of Trojans and malicious scripts that plagued compromised Web sites for April.
Notable Malware
TROJ_AGENT.AMAL
This Trojan poses as a browser plugin that must be installed first to view files that are supposed to come from a fake US federal judiciary Web site. Reported last April 15, the link to the fake site comes from spammed email messages claiming to be legitimate court subpoenas. To add credibility to the spammed email, the sender uses a uscourts.com email address, which may seem authentic to unsuspecting recipients of the message.
TROJ_SPAMBOT.AF
TROJ_SPAMBOT.AF is the Trend Micro detection for the malware behind Kraken, which is an emerging botnet rivaling the Storm botnet. Some researchers who have analyzed Kraken have stated that this may be a variant of the Bobax malware family.
TROJ_AGENT.AZZZ
Reported last April 5, this Trojan uses an old technique to trick users into compromising their systems. Users receive a spammed email, under the guise of a Microsoft security bulletin, urging the users to download a patch from a certain link present in the email. Of course, the patch is actually the malware itself, which Trend Micro detects as TROJ_AGENT.AZZZ.
WORM_NUWAR.JQ
TrendLabs researchers discovered a Web site that offers what looks like a YouTube-style streaming video service. The infection vector and messaging are actually still the same — that is, users are most likely to access this site via links on specially crafted blogs. What is interesting this time is that on the suspect site, users are required to download the so-called “Storm Codec” in order to view the video. Yes, you read that right: the codec is called Storm Codec. Of course, the “codec” is actually a NUWAR variant, which Trend Micro already detects as WORM_NUWAR.JQ since April 2.
Exploits and Vulnerabilities
BKDR_POISONIV.QI and EXPL_NEVAR.B
A backdoor exploiting a recent vulnerability in Microsoft’s GDI processing was discovered right after Patch Tuesday last April 8. A file named TOP.JPG has been found to do this. It arrives on a system as an executable, now detected as EXPL_NEVAR.B. With just this opening available to malware authors, they can do pretty much anything after exploiting this vulnerability. Its specific routine is to connect to a URL to download a file named WORD.GIF (also detected as BKDR_POISONIV.QI).
Web Incidents
JS_DLOADER.TVP and JS_IFRAME.US
Early this month, several Web sites have been compromised by search engine optimization (SEO) poisoning. Some of the compromised sites were that of the Washington State University and several news sites such as Sun Gazette and Tribune-Chronicle. For the past few months, education Web sites (*.edu) were the ones targeted for such attacks, averaging about three per month. In this recent incident, JS_IFRAME.US is the iFrame component that is inserted into the HTML code of the Web page. When the browser is redirected by this malicious iFrame, it downloads the malicious script file JS_DLOADER.TVP.
That’s it for today. As of this writing, it seems that another Italian Job is underway, with ~100 compromised Web sites. We shall take a look at more of this in next month’s malware roundup.
Next Posts
Previous Posts
