Archived Blog

SOHU Digital Channel Web Site Compromised with Xunlei Thunder DapPlayer Exploit

01.28.2010 - 7:00 PM

Today Websense® Security Labs™ ThreatSeeker™ Network discovered that the SOHU Digital Channel Web site was compromised with a Xunlei Thunder DapPlayer Exploit that can lead to downloading and executing an Autorun worm that steals users' online game account information.

SOHU is one of the biggest portals in China, with Alexa rank 43. It offers mainly advertising, search engines, and online multi-player gaming. While Xunlei is one of most popular download managers and BitTorrent clients, it also offers free media for download. Its main site also has a relatively high Alexa rank of 126.

According to Secunia, the vulnerability is caused by a boundary error in the DPClient.Vod.1 ActiveX control (DapPlayer_Now.dll) when it is handling arguments passed to the "DownURL2()" method. This can be exploited to cause a buffer overflow by passing an overly long argument to the affected method. Successful exploitation allows execution of arbitrary code.

Here is a screenshot of the injected page:

Here is a screenshot of the payload:

When you visit the fake gif file again, a 404 Not Found returns:

Luckily, I have a copy in my hand, so let's see what it looks like:

It is not readable at first glance, and that's what the hacker is trying to do: escape analysis and detection. However, if you notice the string "US-ASCII" in the last line of the payload, then this exploit is no mystery at all. Following is the decoded payload:

Quickly checking the shellcode, we can see the URL of the final payload clearly, which is reportedly an online game password stealer.

Websense Messaging and Websense Web Security customers are protected against this attack.

Security Reseacher: Tim Xia

Bookmark This Post: