Last week, we had reports of a number of web sites being hacked and used to distribute malicious software.  The web sites are spread through various countries including Brazil, Pakistan, the United Kingdom, France, and of course the United States.

 At the moment, it is hard to tell how the servers were compromised.  All of them seem to be running a variant of Linux with the well known Apache web server.  It is possible, although unlikely, that an unknown security vulnerability has been exploited to gain control to these servers.  It is more likely that a configuration error such as a weak password allowed the attackers to access the servers.

 The hacked web sites serve a version of their main page that has been modified to include a malicious javascript.  A new javascript file is generated for each web request made on  the server.  The javascript's file name also changes every time a visitor browses an infected site.  The file name is composed of five random letters as shown in the following example:

 <script language='JavaScript' type='text/javascript' src='tfaxb.js'></script>

 The javascript is encoded in an attempt to evade detection by intrusion detection systems and antivirus software.  The javascript code is very similar to the MPack exploitation tool that is being sold on the underground market.  The script attempts to exploit the following vulnerabilities in web browsers:

  • - MS06-001 (WMF)
  • - MS06-055 (Vector Markup Language vulnerability)
  • - MS06-057 (Internet Explorer's WebViewFolderIcon ActiveX Overflow)
  • - MS06-071 (Microsoft XML Core Services)
  • - CVE-2007-0015 (Apple QuickTime 7.1.3 rstp:// buffer overflow)
  • - CVE-2007-0018 (NCTAudioFile2 ActiveX Buffer Overflow)
  • - CVE-2007-3147 (Yahoo! Webcam ActiveX)
  • - CVE-2007-5779 (GOM Player "GomWeb3" ActiveX Control Buffer Overflow Vulnerability)

Each exploit has a similar payload that downloads and executes a file from the server.  As with the javascript, the name of the binary file that is downloaded is generated randomly and deleted from the web server after only a couple of seconds.  In an attempt to fool researchers and automated tools, the malicious javascript and malware are only served once, a visitor making more than one request to an infected server will only be attacked once and any trace of the attack will be removed from further communications with the server.

The software that is downloaded and executed on the victim's machine is detected as Win32/TrojanDropper.Agen by NOD32, some other vendors label it as Trojan.Win32.Agent.cyt.  Once it gets executed, this Trojan copies itself to %system32%regscan.exe.  To prevent analysis, the file has virtual machine detection, preventing it from executing inside a virtual environment.  The Trojan communicates with a command and control server located in Florida.  The command and control server uses the HTTP protocol and seems to be hosted on a legitimate server that has also been hacked.

As of today, the attacks are still ongoing.  We strongly recommend applying security patches and using an up to date antivirus to be protected against this type of attack.

Pierre-Marc Bureau
Malware Researcher