Recently we reported on a high ranking Japanese website which was compromised by cyber criminals. This time we discovered an even a higher ranked site that was compromised- Livedoor.jp. This popular web portal is owned by a Japanese ISP and has an Alexa ranking of 6 in Japan, and 70 worldwide.

Just as described in our previous report, the attack characteristics include an injected IFRAME to some pages on the Japanese portal which refers to a Chinese server that attempts to exploit multiple browser vulnerabilities.

The included page is quite simple, yet effective: it checks which ActiveX objects the browser is ‘familiar with’, and includes relevant IFRAMEs to exploit those objects.

First, the popular IE7 data binding vulnerability is being exploited. In order to avoid detection by signature-based protection solutions like Anti-Virus, the page was obfuscated:

Needless to say there are still many Internet Explorer users who haven’t patched their browser yet, and are still vulnerable to this attack.

Let’s look at the executable pushed to the client as a result of a successful exploitation of the browser’s vulnerability. The downloaded executable is a Trojan that steals a user’s credentials. This Trojan is known for quite some time now. Despite being known, many Anti-Virus products still don’t detect it. As you can see below, only 18/39 AV products on VirusTotal detected this file as malcious:

The next vulnerability exploited is the infamous RDS vulnerability, which is still widely used by cyber criminals, even though it is quite old and users should therefore have been protected from it a long time ago.
Last, the rather new Snapshot Viewer ActiveX control vulnerability is exploited.

This Chinese attack is very popular and is known to infect hundreds of websites all over the world. However, we can’t ignore the fact that two very popular Japanese websites were infected in such a short period of time.

The malicious code was removed from Livedoor.jp and it’s now safe to visit.

Update:

On March 5th we received the following comment from “livedoor.jp”:

“As each page on the domain of [livedoor.jp] is being managed by the user himself/herself, we are not involved in the management of the contents or the codes of each page”

Although we can understand this comment, it just reconfirms Finjan’s position regarding the risks of Web2.0, giving users the power to add code also gives them the power to add malicious code – this is why we believe in real-time content inspection for web security.

Posted by Moshe Basanchig