English (US) 
Archived Blog
Following the Injection - a0v.org
08.26.2009 - 3:34 PM
The injected site - a0v.org
The site that has been injected in this campaign is a 35-day-old domain called a0v.org. The injection is in plain text, non-obfuscated script tags. Here is a screenshot example of the source of a legitimate injected Web site. Do you see the pattern? There is no mercy shown with the frequency of the injections, which confirms that this injection is an automated process, as most injections are.
Once a user browses to an infected Web site, the user is redirected to execute the injected script at hxxp://a0v.org/x.js. The script source below shows that two further redirections are taken: the first takes the user to exploit sites just down the chain, and the second takes the user to a log server established by the baddies:
The next stop in the exploit chain is hxxp://game163.info/oday/index.html. This one was already caught by ThreatSeeker Live Analytics (L for Live Analytics):
game163.info is also a fresh domain, registered just 23 days ago. Its source goes to even further redirects in the same site. But before it decides where to go, it checks whether the user's browser is Microsoft Internet Explorer 7, using a hex-represented string for "msie 7". If the returned User Agent is indeed a Microsoft Internet Explorer 7 browser, then the user is redirected to a page exploiting Microsoft Internet Explorer XML Parsing (CVE-2008-4844) -- an exploit that works only with Microsoft IE7 browsers:
More redirects to exploits, combined with browser checks, are done further in the same site. Here is a recap of what's going on there:
Following is a summary of all the exploits used, from the last one discovered to the oldest:
Adobe Flash, Acrobat Reader CVE-2009-1862
Microsoft Office Web Components CVE-2009-1136
Microsoft Internet Explorer XML Parsing CVE-2008-4844
Microsoft DirectShow (msvidctl.dll) CVE-2008-0015 - Suspected\Disabled
Microsoft Data Access Components (MDAC) CVE-2006-0003
The exploits are served from multiple replicated Web sites, bearing the exact same code and structure as game163.info. The Microsoft DirectShow (msvidctl.dll) vulnerability is only suspected to have been used, because the branch that may have led to the exploit has been disabled by the attackers in all of the replicated exploit sites. This is probably due to the weak structure of the exploit chain that gets split right from the beginning. This split could create certain race conditions that would result in non-exploitation.
On the branch that tries to exploit MDAC CVE-2006-0003, the attackers used heavily obfuscated Javascript combined with script fragmentation to evade detection. This is a really old but quite effective exploit security that vendors know very well. The newest exploit used in the chain is Adobe Flash and Acrobat Reader CVE-2009-1862 -- alerted on at the end July, and the most troublesome one, due to two facts:
1) Today, most users don't bother to update their versions of Flash/Acrobat.
2) We've recently received reports (in the middle of August) showing almost the same exploit code (with only minor variations in syntax) with an embedded malicious Flash file exploiting CVE-2009-1862 and holding only 2/42 and 0/42 detection rates by vendors, respectively. The results for the malicious Flash file exploiting this vulnerability in this attack are still very low, with only 5/41, and the related exploit page with only 4/41.
Combine those two facts together, and you have a major breach that allows the attackers to do a great deal of damage. Similar mass injections happen around the clock, capitalizing on the latest exploits that rely on the two facts listed above, and holding different obfuscated source codes and payloads. Those facts can only suggest the large number of infected users from such mass compromises.
Security Researcher: Elad Sharf
