Last Updated: 2007-04-07 17:48:47 UTC
by Swa Frantzen (Version: 2)
In the past days a handful of readers had sent us notes that asus.com was compromised. We unfortunately could not find anything wrong in the html at all.
Today the kaspersky blog had an entry about a ANI exploit loaded via an iframe at asus.com.
So we fetch a new copy, still nothing to be seen. Until Johannes suggested asus.com might be load balanced, and yes indeed it seems it is using DNS load balancing:
$ dig asus.com a
; <<>> DiG 9.2.3 <<>> asus.com a
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19075
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 0
;; QUESTION SECTION:
;asus.com. IN A
;; ANSWER SECTION:
asus.com. 14400 IN A 126.96.36.199
asus.com. 14400 IN A 188.8.131.52
;; AUTHORITY SECTION:
asus.com. 14400 IN NS dns3.asus.com.
asus.com. 14400 IN NS dns7.asus.com.
;; Query time: 18 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Apr 6 23:33:01 2007
;; MSG SIZE rcvd: 96
Fetching a copy of the home page of both servers, and comparing the resulting page yields:
(line breaks added to make page easier to read)
$ diff index.html index.html.1
That file gives following over at virustotal:
|Authentium||4.93.8||20070406||Possibly a new variant of W32/PWStealer.gen1|
|CAT-QuickHeal||9.00||20070406||(Suspicious) - DNAScan|
|Date scanned||04/07/2007 00:09:16 (CET)|
Password stealer it seems, same old goal.
I've not seen an ANI exploit in there right now, but we can be easily looking at something that's dynamic in some other way as well.
It seems asus did take down the hacked server in the mean time.
Off to warn them once again...
Swa Frantzen -- NET2S