Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: New malware spreading through compromised sites - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
New malware spreading through compromised sites

Early this morning, Sanjoy wrote in that the website contained a script-tag linking to a malicious Javascript hosted on a Chinese web server. We were able to confirm this and contacted Airindia to inform them their site had likely been compromised. At this point in time, the site is clean again.

Initial verification shows that this malicious link has been introduced into a large number of sites, both through script injection in forms as well as ways that look very much like web server compromise to us.

If you have a large installed base of Windows machines with browsing access, you may wish to review your proxy logs for requests for the following files. We removed the actual domain as to not to link directly to the actual malware.

[xxx] .cn/images/163.js
[xxx] .cn/images/sina.htm

The file downloaded upon succesful execution is called 'install.exe' and has an md5 checksum of f9fc3189d619462f6c939bfbf36c90ab. Once executed, it installs three files on the system, 'winboot.exe', 'winroot.bat' and '1.exe', of which the latter remains resident in memory. The software seems to be a keylogger at this point in time. Anti-virus detection for this malware was non-existent this morning, but AV vendors have been informed and are actively adding detection.

We're very interested in hearing more about this from you. If you notice the existence of this link on one of your sites and can provide us with more information on how the compromise occured in your instance, please let us know. This type of information could prove very helpful to other victims.

Maarten Van Horenbeeck


158 Posts
Mar 10th 2007

Sign Up for Free or Log In to start participating in the conversation!