Big Chinese Hack 2?

Yesterday we detected the onset of the latest mass hack attack – websites being hacked and links placed on them that lead to malicious servers. We’re estimating that in the last two days along, between 2000 and 10,000 servers, mainly Western European and American ones, have been hacked. It’s not yet clear who’s doing this.

We’re still working on determining exactly how the sites were hacked, but there are two scenarios which are the most likely – using SQL injection or using accounts to the sites which had already been stolen. One common factor is that the majority of the hacked sites run on some type of ASP engine.

These attacks aren’t yet on the scale of the first attacks which took place in spring this year and which affected more than 1.5 million web resources. But things are still developing, and the similar nature of the malicious programs used in both attacks lead us to think that this new wave of attacks is potentially pretty serious.How do the attacks work?

The attackers add a tag, <script src=http://******/h.js>, to the html of hacked sites.

The link leads to Java Script located on one of six servers – these servers act as gateways for further redirecting of requests. We’ve identified six of these gateways and they’ve been added to the denylist in our antivirus:

• armsart.com
• acglgoa.com
• idea21.org
• yrwap.cn
• s4d.in
• dbios.org

If you’re an admin, you should block access to these sites.

Visiting one of the sites results in a secret redirect to a malicious server called vvexe.com which is located in China. Exploits are then used to launch an attack on the user’s machine.

We’re currently seeing a range of exploits being used, which target vulnerabilities in Internet Explorer, Macromedia Flash Player, and the ActiveX vulnerability (MS08-053) which Microsoft released a patch for less than two months ago. And here are exploits designed to target Firefox users.

Here’s a list of the malicious programs on the site that our antivirus detects:

• Trojan-Downloader.HTML.Agent.ls
• Trojan-Downloader.SWF.Agent.ae
• Trojan-Downloader.SWF.Agent.ad
• Trojan-Downloader.SWF.Agent.af
• Trojan-Downloader.SWF.Small.em
• Trojan-Downloader.SWF.Small.en
• Trojan-Downloader.JS.Agent.cwt
• Trojan-Downloader.JS.Agent.cwu
• Trojan-Downloader.JS.Agent.cww
• Trojan-Downloader.JS.Agent.cwv
• Trojan-Downloader.JS.Agent.cwx
• Trojan-Downloader.JS.Agent.cwy
• Exploit.JS.Agent.xu
• Trojan-Dropper.JS.Agent.z

If your machine is vulnerable to even one of these exploits, then it’ll be infected by another malicious program, Trojan-Downloader.Win32.Hah.a.

This Trojan is able to download yet more malicious programs – and details of these programs are in a dedicated configuration file on the vvexe.com site.

Today, we’ve seen three malicious programs being downloaded:

Trojan-GameThief.Win32.WOW.cer – a Trojan designed to steal account data from World of Warcraft accounts

Trojan-Spy.Win32.Pophot.gen – another spy program which steals data and also tries to delete a whole range of antivirus solutions

Trojan.Win32.Agent.alzv – this Trojan downloads yet more Trojan spy programs: Trojan-PSW.Win32.Delf.ctw, Trojan-PSW.Win32.Delf.ctx, Trojan-PSW.Win32.Delf.cty.

If you own or manage a site that uses an ASP engine, check all your pages for a link like this: <script src=http://******/h.js>. And if you find it, delete it. It’s not just your security that’s at stake, but the security of everyone using your site!