Barely recovering from the flurry of analysis surrounding the weekend compromise, Trend Micro researchers from Taiwan have yet again discovered a new attack.
The nature of affected sites seem to be quite diverse, although a big chunk belongs to the Asia Pacific region. Hackers have apparently conducted another massive SQL injection attack, causing well over 160,000 Web sites to contain a certain malicious script.
Figure 1. Trend Micro product in action, blocking access to sites containing this script.
Trend Micro detects the script as HTML_IFRAME.NG. When unsuspecting users visit one of these infected pages, they are redirected to any of three URLs containing various exploits. The scripts found in these URLs are detected by Trend Micro as the following:
- JS_REALPLR.CB, which exploits the import method vulnerability in an ActiveX Control in RealPlayer causing stack buffer overflow
- JS_REALPLR.CD which exploits an improper memory management issue in ActiveX, also in RealPlayer
- HTML_AGENT.APAY which downloads another script, JS_DLOADER.JYT
JS_DLOADER.JYT, in turn, exploits the MS Data Access Components (MDAC) vulnerability (as described in Microsoft Security Bulletin MS06-014).
JS_REALPLR.CB, JS_REALPLR.CD and JS_DLOADER.JYT all access a URL in the same domain which downloads 1.exe onto the infected PC. Trend Micro detects 1.exe as TSPY_LINEAGE.PJ (update: the file is now TROJ_AGENT.WPA as of this writing).
The attack algorithm is illustrated below:
Figure 2. Attack algorithm
Users are bound to be infected by the aforementioned malware should their browsers allow automatic execution of ActiveX controls. Since users are viewing legitimate sites, it is highly likely that even when browsers are configured to prompt for ActiveX or script download, users will still agree to download the offered file.
Only a strong Web Threat Protection suite breaks the the infection chain at various points of the attack. This becomes incredibly important considering that the final payload, 1.exe, appears to change with every download. If the user is prevented from accessing URLs which the initial script redirects to in the first place, then the user is effectively protected from whatever threat the final payload may bring.
Note: Our regional partners are now trying to reach the appropriate CERTs of the affected sites. We have also blocked all related malicious domains and detected all malicious files.
Consolidated findings of the Research (Taiwan), Escalation, and Threat Response teams at TrendLabs.