Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    Our researchers “followed the bouncing Web threat” in this newly discovered spate of hacked legitimate Web sites. Advanced Threats Researcher Paul Ferguson posted about this mass compromise on the blog yesterday, when it was still a “developing issue originating from various locations in China for the past few days that we (security researchers) are still piecing together.”

    It appears that several thousand Web sites have been compromised — via SQL injection — with embedded malicious JavaScript that redirects users to two major malicious URLs ( and bbs.jueduizuan), both of which are now gaining quite the reputation as fellow researchers scramble to determine the “end game” in this extraordinarily convoluted attack.

    Here is a general diagram illustrating basically what happens on the user side:

    The Web site compromises were accomplished in a similar manner as were other recent mass compromises –- through poor .asp and configuration that allow exploitation via SQL injection.


    Legitimate, yet compromised, Web sites found to be hosting the (embedded) JS_DLDR.AW redirected visitors to an .ASP script which, in turn, redirects to any one of three URLs.

    These redirections happen instantaneously, without the user knowing it. Some of these redirections lead to URLs that randomize an image in the Web page, a definitive routine that is used for advertisements. It also uses cookies to determine the TTL of the image and possibly change the image once the TTL expires.

    However, a more dangerous path, of which the user has no way of determining (let alone stopping), ends in the download of JS_DLOADER.AEHM and TROJ_REALPLAY.BR. Both download TROJ_AGENT.AKVP on the infected system. This Trojan drops a copy of itself and downloads a file containing a list of malicious sites.

    As one of our researchers closely followed on the heels of the 2.asp path, we have found yet more executables, including an autorun malware detected by our patterns as WORM_AUTORUN.CBZ.

    While some of the involved files look harmless by themselves, closer investigation into their relationships with one another reveal a possible attempt at information theft.

    For instance, a file named stat.htm includes the browser version, system language, and platform of the infected PC and then attempts to upload these statistics to a remote location. We have also stumbled upon a possible signature or marker in one of the files, a certain (graffiti) “Power by Cnzz.”


    This is another malicious URL than can be seen in various compromised sites (~1,510 pages). The redirection path in this case is found below:

    JS_AGENT.ALIP is the offending script in this attack. Compromised sites found hosting this script have been modified to contain an iFrame detected as HTML_IFRAME.AAK.

    The following malicious files are downloaded on the user’s system upon visiting (and being redirected from) compromised sites:


    The number of Web sites affected have reached as of 19:50 PDT is at ~9,000, among them several legitimate medical, educational, government, and entertainment sites all over the world.

    A survey of the site locations already includes India, UK, Canada, France, and China. This observation suggests that instead of a Webserver compromise or a heavily targeted attack, this attack could have been the work of an automated tool programmed to search through Web sites for vulnerabilities.

    Here are screenshots of a couple of the compromised sites:

    Our researchers believe this is similar to the attacks earlier this year involving,,, etc., which appear to be related output of a certain Chinese language hacking tool (see image below):

    Also, we have been informed that a new version of this tool has very recently appeared, and unfortunately, it is now free for public download (as well while the latest one) and is posted up for availability to anyone who wants to download it.

    The resulting package — once all the hacker selected options have been selected — creates the same .html file that has been used to launch various exploits.

    In particular (matching the snapshot of the kit), options in this kit reveal interesting translations such as “PPS Overflow” — which translates roughly to PowerPlayer Control exploit; “Thunder 0day” — which translates to XunLei Thunder Player exploit; “Real 0day” — which is most probably pertinent to the RealPlayer exploit, and so on.

    Correlating the code snippets and the exploits which are used, this points to being the same gang that perpetuated on April 29th and which came live sometime Monday.

    There have been similar attacks using older tools but it appears to be that using less files and less redirection has helped lend a hand in the growing number of affected sites. The fact that an updated version was just released last week doesn’t make next week’s forecast clear of this current style of attack either.

  • Consolidated findings of the Advanced Threats Research Team and Web Threat Protection team at TrendLabs

  • Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice