Gone are the days where you actually had to convince someone to open your malicious e-mail attachment to get malicious software installed. Now all you need is to browse a compromised web site and you can become a victim in a matter of seconds. This post will dissect the home page of such a web site and explain the different ways that bad guys are trying to install their malicious software onto your computer.
I was alerted to this compromised web site when our anti-virus console sent me an e-mail because it blocked a trojan on a user’s machine. This e-mail also included the URL of the compromised web site. The trojan is known as JS/Obfuscated by McAfee or JS.Obfuscated.Gen by Bit Defender. The anti-virus actually is able to detect the way the code on the web page has been obfuscated by the author. This web page only got a 12.83% coverage amongst 39 different AV engines according to Virus Total. I can only hope that the AV that did not catch that compromised web page will catch whatever the web page will download on the user’s computer before it causes real damage.
Here is a quick summary of how the infection works:
- The web site is somehow compromised and web page(s) modified to inject iFrame into each page on the site.
- The downloaded code is executed and tries multiple attack vectors in order to write to your hard drive. If one of those vulnerabilities work, a payload is downloaded and executed on your computer.
And voila! You have been p0wned.
Dissecting the attack
The malicious code is tacked at the bottom of the web page. The code is in two <script></script> blocks. It is obfuscated by having a bunch of gibberish assigned to variables. There is actually a bit of code visible in that gibberish, just enough to remove the obfuscation, which is rather simple. Using the Malzilla tool, it makes it easy to see the code. The first block reveals how it will de-obfuscate the code. There are four block of codes that will be de-obfuscated by doing a string substition. Here are some of the string that are replaced.
- Replace aHM with a % character
- Replace Zm with the D character
- Replace ouG with a % character
- Replace tr4 with a 3 character
- Replace %P5 with a 2 character
- there are more such substitions
All of those strings are then unescaped, and passed to the eval() function to be executed. That’s where the real action is.
- The first block inserts a <BODY> </BODY> and a <DIV> tag into the web page if it finds that the body is empty.
- The second block gets a pointer to that DIV and saves it to a variable. As well, it creates an iFrame element and sets it to a size of 1×1 and sets the source to point to a malicious web site (store16 dot looneytoons dot cc). Doing a whois on that site reveals that it is a legitimate site registered by Warner Brothers. Although there is a web server there, it does not return anything as of right now.
- Finally, the third block set the iFrame to hidden, gives it an id and appends it to the DIV created in the first block of code.
- Flash ActiveX if the version less than 9.0.124
- Adobe Reader
- Microsoft Office snapshot viewer ActiveX exploit (MS08-041 will protect you)
- AOL SB.SuperBuddy ActiveX code found in AOL Client Software 9.0 Security
- Microsoft DirecAnimation ActiveX (MS06-067 will protect you)
- An oldie but goodie, Microsoft DDS Library Shape Control which was part of Visual Studio 2002 (MS05-052 will protect you)
- Windows Sell Remote Code Execution Vulnerability (MS06-57 will protect you)
Bottom line, if you are up to date on patches, you will not have problems. The trick is to update not only Windows, but all your software you have on your computer. Not so easy as most people do not really know what actually have installed over time. The best thing you can do is to visit Secunia Software Scanning and use their scanner. It will tell you all the software you have installed that requires updates. If you actually download and install their software, it will keep track of what you have and let you know when there are new updates.