Massive embedded exploit web site attack underway [update]
Literally thousands of web pages have been infected with references to malicious code that is hosted on two Chinese-registered domains, one of which was only registered on 28 December 2007. Many of these pages now use security holes in Internet Explorer and RealPlayer to infect their visitors with malware.
Google searches for the two involved malicious domains uc8010.com and ucmal.com this morning returned between 87,000 and 103,000 hits, of which we estimate around 80 per cent were pages containing references to the malcious scripts. However, as this malware uses automated injection techniques, many contaminated pages may be generated for each infected domain, it is difficult to determine accurately the number of infected domains, which may be much smaller than these figures might initially suggest.
As government, commercial, educational and public service sites have all fallen victim to this attack it is obviously not targeted. And although some sources have asserted this beast can steal gaming credentials and perform click fraud, its primary purpose is still not entirely clear. An analysis by Dancho Danchev shows that in addition an exploit for a RealPlayer vulnerability it also invokes a two year old exploit against a security problem in Internet Explorer (CVE-2006-0003, MDAC). It cannot be ruled out that it even uses the yet unpatched zeroday hole in RealPlayer. Some of the exploit code draws attention to itself by outputting comments such as "Hello" and "ok! ^_^ Don't hank me !".
For some unaccountable reason, the malicious sites are still up and running and serving exploits although the Internet Storm Center drew attention to them 4 days ago. However, on the positive side, some of the malware's components are already detectable by current antivirus. For example, in a test by heise Security, F-Secure antivirus identified the second-level script w.js as JS/Agent.cge, and an .exe-file downloaded by the IE exploit was already identified as "Trojan-Downloader" by a couple of antivirus products.
- Massive RealPlayer Exploit Embedded Attack, blog entry by Dancho Danchev
- SQL Injection Attack Infects Thousands of Websites, analysis on the Modesecurity blog