08 January 2008, 19:06

Massive embedded exploit web site attack underway [update]

Literally thousands of web pages have been infected with references to malicious code that is hosted on two Chinese-registered domains, one of which was only registered on 28 December 2007. Many of these pages now use security holes in Internet Explorer and RealPlayer to infect their visitors with malware.

Google searches for the two involved malicious domains uc8010.com and ucmal.com this morning returned between 87,000 and 103,000 hits, of which we estimate around 80 per cent were pages containing references to the malcious scripts. However, as this malware uses automated injection techniques, many contaminated pages may be generated for each infected domain, it is difficult to determine accurately the number of infected domains, which may be much smaller than these figures might initially suggest.

As government, commercial, educational and public service sites have all fallen victim to this attack it is obviously not targeted. And although some sources have asserted this beast can steal gaming credentials and perform click fraud, its primary purpose is still not entirely clear. An analysis by Dancho Danchev shows that in addition an exploit for a RealPlayer vulnerability it also invokes a two year old exploit against a security problem in Internet Explorer (CVE-2006-0003, MDAC). It cannot be ruled out that it even uses the yet unpatched zeroday hole in RealPlayer. Some of the exploit code draws attention to itself by outputting comments such as "Hello" and "ok! ^_^ Don't hank me !".

The trigger point is a script called uc8010.com/0.js or ucmal.com/0.js that is loaded by the victim web site. This displays the message "ok ^_^" and downloads the second round: w.js, which contains obfuscated JavaScript and continues the sequence of downloads, eventually including the RealPlayer and MDAC exploits. It is still not clear how this beast has spread so quickly, although heise Security considers that it bears signs of being an automatic infection mechanism that spiders the web and tries to inject the html into all parameters of the web applications it can find. For this reason it might be classed as a worm.

For some unaccountable reason, the malicious sites are still up and running and serving exploits although the Internet Storm Center drew attention to them 4 days ago. However, on the positive side, some of the malware's components are already detectable by current antivirus. For example, in a test by heise Security, F-Secure antivirus identified the second-level script w.js as JS/Agent.cge, and an .exe-file downloaded by the IE exploit was already identified as "Trojan-Downloader" by a couple of antivirus products.

[Update] The web site contamination vector has been confirmed as an SQL injection, cleverly obfuscated by a cast statement at the start of the malicious SQL statement. An analysis on the modsecurity.org blog shows that the call to the malicious JavaScript is systematically injected into all varchar objects in user tables. This would account for the very large observed number of links to infected objects. However, although elegant, this not a completely new technique. The SANS ISC diary discuses a similar if less sophisticated attack from November 2007.