Above 300,000 More Websites Compromised Targeting Chinese Users
Series of mass compromises continue and, according to Trend Micro, just a week after half a million websites were compromised, another mass web SQL injection hit more websites in the Chinese language. This malicious activity deliberately targets users from China, Taiwan, Singapore, and Hong Kong. Currently Google search results show around 300,000 pages that contain the malicious JavaScript code, among them, as usual, many government and educational sites.
Screenshot from Google (do not visit those sites):
Users visiting any of the compromised sites would be infected by a malicious script installed on their system. The script, detected as JS_IFRAME.AC, may be downloaded from the remote site http://s.****.us/s.js.
JS_IFRAME.AC then downloads JS_IFRAME.AD, which exploits several vulnerabilities to further insert scripts in web.The following exploit routines are performed by JS_IFRAME.AD:
1. Exploits a vulnerability in Microsoft Data Access Components (MDAC) MS06-14, which allows for remote code execution on an affected system
2. Uses the import function IERPCtl.IERPCtl.1 or IERPPLUG.DLL to send the shell code to an installed RealPlayer
3. Checks for GLAVATAR.GLAvatarCtrl.1
4. Exploits a BaoFeng2 Storm and MPS.StormPlayer.1 ActiveX control buffer overflow (Chinese-language software)
5. Takes advantage of an ActiveX control buffer overflow in Xunlei Thunder DapPlayer (Chinese-language software)
These vulnerabilities trigger JS_IFRAME.AD to redirect users to one of the following URLs:
http://********.cn/real11.htm – detected as JS_REALPLAY.AT
http://********.cn/real.htm – detected as JS_REALPLAY.CE
http://********.cn/lz.htm – detected as JS_DLOADER.AP
http://********.cn/bfyy.htm – detected as JS_DLOADER.GXS
http://********.cn/14.htm – detected as JS_DLOADER.UOW
Additional detected scripts downloaded by JS_IFRAME.AD are VBS_PSYME.CSZ, JS_VEEMYFULL.AA, JS_LIANZONG.E, JS_SENGLOT.D.
These four malware, in turn, download and execute http://******.52gol.com/xx.exe, which is detected as TROJ_DLOADER.KQK.
The research was conducted by Senior Threat Analyst Aries Hsieh, a team of researchers from Trend Micro and consolidated findings of the Research (Taiwan), Escalation, and Threat Response teams at TrendLabs.
Trend Micro is trying to reach Taiwan CERT to inform them of this mass compromise.
More on CyberInsecure:
Leave a Reply
Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.