At the time of the writing of the article, over a hundred hijacked sites were found to be injected with malicious links that were still actively hosting the trojan. Some of the infected sites included school websites or the local community club’s website that had been hijacked or infected.
Information from McAfee on the attack:
When browsing upon these sites (hijacked site #1), the victim is hyperlinked to another hijacked site #2, which seem to act as a proxy. In this case, if someone were to audit the source code of hijacked site #1, he or she would see that the links are connected to sites that look legitimate. Hijacked site #2 is , subsequently, hyperlinked to a malicious site hosting a web exploit toolkit.
During research, one of the things we found interesting was the web exploit toolkit explicitly checks that the origin of the hyperlinked references do not come from the “.gov.cn” and “.edu.cn” domains, which are used by Chinese government and education sites. If the references are not coming from any of these domains, it starts sending a cocktail of exploits including:
* Exploit-MSDirectShow.b (0-day)
* Exploit-XMLhttp.d
* Exploit-RealPlay.a
* JS/Exploit-BBar
* Exploit-MS06-014
Each of these exploits targets a different application that could be vulnerable - Internet Explorer 6 and 7, DirectShow ActiveX, RealPlayer, Baidu Toolbar, that can be accessed via the Internet Explorer browser.
From past investigation, this toolkit had been widely used on many Chinese hijacked sites this year. The attackers may be trying to avoid or delay attention from the Chinese government.
When successful, the attackers installs a downloader trojan which could download other malware.
This 0-day vulnerability has been verified to affect at least the Windows XP system with Internet Explorer (IE) 6.x and 7.x. However, on IE7 which is default on Windows Vista systems, risky ActiveX objects are blocked by default which may mitigate this 0-day attack. Users should ensure that their systems are always kept up-to-date against the older exploits.
The 0-day exploit will be detected as Exploit-MSDirectShow.b by McAfee VirusScan in today’s 5668 DATs. The downloader trojan installed by this exploit can be proactively detected as Generic.dx since the 5567 DATs (Mar 28th, 2009).
This article reminds us of two important security features we need to make sure our proxies are running, the first and obvious one is anti-malware and anti-virus scanning on browsed web pages. The second is the blocking of embedded and linked URL's. The second feature alone should have been enough to prevent this attack from affecting an organization utilizing a proxy for web security.
Posts
No comments:
Post a Comment