Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    The hype after recent mass compromises has not even died down yet and already another massive attack has been launched. Trend Micro was alerted to the emergence of another mass compromise, dubbed Nine Ball, for the same reason Gumblar was named Gumblar. This time, however, the Nine Ball domain was only one of hundreds of landing pages users could be redirected to.

    As reported by Ivan Macalintal, Trend Micro Threat Research Manager, the infection starts when a user accesses a compromised site that automatically redirects him/her to several sites. These sites were actually a trio of malicious domains (specific .KZ and .TW sites) constantly used by attackers in their scheme of redirecting users to a malicious IP address registered somewhere in the Ukraine.

    The chain ends when the user’s browser lands on a page that contains exploits for vulnerabilities in various software including Adobe Acrobat and Shockwave. Advanced Threat Researcher Joey Costoya also pointed out that a previously reported PoC in Office OCX Word Viewer is also among the exploits used in this attack.

    Compromised websites were injected with blocks of obfuscated script, detected as JS_DLOADR.ALP (see Figure 1):

    • hdOruVsHnKBXZuvtsRmw
    • eMCeGjolMPJFNuucZWLk
    • vIkytowORShQVZqTBFox

    Click for larger view

    The number of blocks can be as many as seven to eight, which can be seen in the snapshot below of a compromised site of a Web hosting provider in Hong Kong. Hosting provider? Yikes!

    Click for larger view

    The user will then be redirected to a series of websites that use referrers to avoid detection and subsequent removal. The infection chain ends when the user is finally redirected to an exploit-laden landing page.

    The final pages in the infection chain, Costoya also reported, are part of a Web exploit toolkit called Yes Exploit System, which includes .PDF and .SWF exploits, detected as TROJ_PDFEX.J and TROJ_SWFLDR.AB, respectively.


    Both .PDF and .SWF files lead to binary payload that look similar to a new kind of information stealer detected as TSPY_SILENTBAN.U. TSPY_SILENTBAN.U installs itself as a Browser Helper Object (BHO) on the affected system and monitors Internet activity. Gathered information are then sent to a remote user using HTTP POST.

    Note that as of this writing, the binary payload retrieved from the attack uses this spyware. It is more likely that in future attacks, other payloads can be used.

    Fortunately, Trend Micro Smart Protection Network blocks all malicious sites and detects all related malware. Thus, users need not worry about being infected.

    Information on the vulnerabilities exploited in this attack can be found on the following pages:

    Users are also strongly advised to update their software in order to avoid being affected by this attack.

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon

    • http://link Boy25

      Teachers and other staff members often know the importance of this work in theory, but pay little attention to it in practice. ,


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice