New malware spreading through compromised sites
Early this morning, Sanjoy wrote in that the airindia.com website contained a script-tag linking to a malicious Javascript hosted on a Chinese web server. We were able to confirm this and contacted Airindia to inform them their site had likely been compromised. At this point in time, the site is clean again.
Initial verification shows that this malicious link has been introduced into a large number of sites, both through script injection in forms as well as ways that look very much like web server compromise to us.
If you have a large installed base of Windows machines with browsing access, you may wish to review your proxy logs for requests for the following files. We removed the actual domain as to not to link directly to the actual malware.
[xxx] .cn/images/163.js
[xxx] .cn/images/sina.htm
The file downloaded upon successful execution is called 'install.exe' and has an md5 checksum of f9fc3189d619462f6c939bfbf36c90ab. Once executed, it installs three files on the system, 'winboot.exe', 'winroot.bat' and '1.exe', of which the latter remains resident in memory. The software seems to be a keylogger at this point in time. Anti-virus detection for this malware was non-existent this morning.
Currently, virustotal shows successful detection by:
AntiVir | 7.3.1.41 | 03.09.2007 | TR/Crypt.FKM.Gen |
CAT-QuickHeal | 9.00 | 03.10.2007 | (Suspicious) - DNAScan |
eSafe | 7.0.14.0 | 03.08.2007 | Suspicious Trojan/Worm |
Kaspersky | 4.0.2.24 | 03.10.2007 | Trojan-PSW.Win32.WOW.pu |
Sunbelt | 2.2.907.0 | 03.10.2007 | VIPRE.Suspicious |
Symantec | 10 | 03.10.2007 | Infostealer.Wowcraft |
VBA32 | 3.11.2 | 03.10.2007 | suspected of Downloader.Dadobra.10 (paranoid heuristics) |
F-Secure, Fortinet and Sophos confirmed to us by e-mail they would be adding detection shortly.
We're very interested in hearing more about this from you. If you notice the existence of this link on one of your sites and can provide us with more information on how the compromise occured in your instance, please let us know. This type of information could prove very helpful to other victims.
Using Google's cache we came to the conclusion this script was inserted in at least some pages on web sites in the following domains for a while:- airindia.com
- acmt.net
- fireworks.com
- fci.org
- pbonline.com
- postbulletin.com
- post-bulletin.com
- k-1usa.net
- scsusports.com
- stariq.com
- erskinecollegesports.com
- installshield.com
- roundballclassic.com
- onebrick.org
- whozontop.com
- dove.org
- cvac.net
- honestreporting.com
- totallydrivers.com
- irinnews.org
- ...
We contacted all those still sporting the bad link to the exploit earlier today. We're also asking those sites to verify how they got compromised and to share the results of that as far as possible so we can help others find and close the entry vector.
--
Maarten Van Horenbeeck
Comments