Below we sum up the characteristics of the campaign.
The first feature is the large sphere of influence. This campaign affects a lot of Web sites for colleges and related educational institutions all over the country. Websense ThreatSeeker Network has detected that approximately 40 percent of the total college and related educational sites within China are being injected. A great many first-class universities in China like Peking University, People's University of China, and Fudan University have suffered this attack.
The chart below shows the number of compromised Chinese college sites in this attack.
The second feature is that attackers capitalize on lots of vulnerabilities, especially the most recently released ones since July. Take one infected university Web site as an example.
The screenshot of the injected site:
The script redirects to four malicious pages which capitalize on different vulnerabilities. Their targeting vulnerabilities are:
Firefox Corrupt JIT state after deep return from native functionHeap (MFSA 2009-41);
Microsoft DirectShow(msvidctl.dll) vulnerability (MS09-032);
Microsoft Office Web Components Spreadsheet ActiveX vulnerability (MS09-043);
The fourth feature is that the malicious codes are injected into the pages in multiple ways. We investigated the infected college sites and found 3 common methods used by the attackers.
- Iframe injection.
Examples of each method are below:
This chart shows the percentage of each kind of injection:
This campaign not only targets mass college Web sites, but is also spreading widely in other sites in China. At the moment, the number of compromised college sites is still very high, maintaining a level of around 800 sites. We will continue to monitor this attack and publish anything interesting.
Security Researcher: Xue Yang