The Cell Phone Forums of IT168.com Injection
Threat Type: Malicious Web Site / Malicious Code
IT168.com is one of the largest mainstream IT information platforms in China, providing IT product price and market orientation information. It has a high Alexa rank of 170. The forums on the site, especially the cell phone bulletin boards, are very popular, and unsuspecting visitors to these sites can easily get infected.
Screenshot of bbs.it168.com:
The attackers capitalize on the results from popular search engines like Google, Baidu, and Sogou to spread malicous codes.
The payload of the iframe above:
The targeting vulnerabilities are:
Once one of the vulnerabilities is triggered, an executable is downloaded onto the user's machine. This malware installs a rootkit driver and also downloads the main "threat dispatcher". At least 29 malicious applications are downloaded. Some of them install global hooks on the machine, copy themselves inside the Windows folder, and perform other malicious activities. The majority of these executables are packed with UPX, but a few of them use custom executable packers.
Websense Messaging and Websense Web Security customers are protected against this attack.