Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog - New malware spreading through compromised sites InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

New malware spreading through compromised sites

Published: 2007-03-10
Last Updated: 2007-03-10 18:31:05 UTC
by Maarten Van Horenbeeck (Version: 4)
0 comment(s)

Early this morning, Sanjoy wrote in that the airindia.com website contained a script-tag linking to a malicious Javascript hosted on a Chinese web server. We were able to confirm this and contacted Airindia to inform them their site had likely been compromised. At this point in time, the site is clean again.

Initial verification shows that this malicious link has been introduced into a large number of sites, both through script injection in forms as well as ways that look very much like web server compromise to us.

If you have a large installed base of Windows machines with browsing access, you may wish to review your proxy logs for requests for the following files. We removed the actual domain as to not to link directly to the actual malware.

[xxx] .cn/images/163.js
[xxx] .cn/images/sina.htm

The file downloaded upon successful execution is called 'install.exe' and has an md5 checksum of f9fc3189d619462f6c939bfbf36c90ab. Once executed, it installs three files on the system, 'winboot.exe', 'winroot.bat' and '1.exe', of which the latter remains resident in memory. The software seems to be a keylogger at this point in time. Anti-virus detection for this malware was non-existent this morning.

Currently, virustotal shows successful detection by:

AntiVir 7.3.1.41 03.09.2007 TR/Crypt.FKM.Gen
CAT-QuickHeal 9.00 03.10.2007 (Suspicious) - DNAScan
eSafe 7.0.14.0 03.08.2007 Suspicious Trojan/Worm
Kaspersky 4.0.2.24 03.10.2007 Trojan-PSW.Win32.WOW.pu
Sunbelt 2.2.907.0 03.10.2007 VIPRE.Suspicious
Symantec 10 03.10.2007 Infostealer.Wowcraft
VBA32 3.11.2 03.10.2007 suspected of Downloader.Dadobra.10 (paranoid heuristics)

F-Secure, Fortinet and Sophos confirmed to us by e-mail they would be adding detection shortly.

We're very interested in hearing more about this from you. If you notice the existence of this link on one of your sites and can provide us with more information on how the compromise occured in your instance, please let us know. This type of information could prove very helpful to other victims.

Using Google's cache we came to the conclusion this script was inserted in at least some pages on web sites in the following domains for a while:
  • airindia.com
  • acmt.net
  • fireworks.com
  • fci.org
  • pbonline.com
  • postbulletin.com
  • post-bulletin.com
  • k-1usa.net
  • scsusports.com
  • stariq.com
  • erskinecollegesports.com
  • installshield.com
  • roundballclassic.com
  • onebrick.org
  • whozontop.com
  • dove.org
  • cvac.net
  • honestreporting.com
  • totallydrivers.com
  • irinnews.org
  • ...
Note that in all likelihood all of those sites are victims. The main purpose of listing them is to allow administrators to check if they got visited by their users and to make it clear that users can't help it with changing their surfing habits. Certainly not all -if any- of those sites qualify as part of the dark alleys on the Internet. Some would easily fit in a proper for business use category.

We contacted all those still sporting the bad link to the exploit earlier today. We're also asking those sites to verify how they got compromised and to share the results of that as far as possible so we can help others find and close the entry vector.

--
Maarten Van Horenbeeck

Keywords:
0 comment(s)
Diary Archives