Windows 7 Thousands of Chinese Gov and Edu Websites Infected

[whoosh]

Link Removed - Invalid URL

Security researchers from Vietnamese security vendor Bach Khoa Internetwork Security (Bkis) have identified a new mass injection attack that so far infected almost 180,000 websites with rogue <script> tags. The majority of affected sites are Chinese and many of them are in the gov.cn or edu.cn domain namespace.
The technique used in this attack is called SQL injection and involves exploiting vulnerable script parameters that don't properly sanitize user input. Such flaws allow attackers to execute unauthorized SQL queries against the underlying database by manipulating the URL. Link Removed - Invalid URL, the attackers have changed the src of the malicious script tags at least once so far.

Originally, rogue content was being loaded from http:// wgwggg .cn:1/1.js [spaces added on purpose], but now, the infection points to http:// 1.ll8cc .cn [deliberately malformed]. Searching for the latter on Google reveals some 178,000 results, while the former version of the attack infected at its peak over 187,000 websites.

The malicious JavaScript loaded by the injected script tags has the purpose of infecting the visitors of a compromised website. A visiting user's session is silently passed through a series of redirects and scripts, which have the purpose of determining what software is installed on their computers. Based on the result of this check, the user is served with particular exploits for several vulnerabilities in those applications.

The exploit cocktail used is identical to the one seen a few days ago in a similar attack Link Removed - Invalid URL by ScanSafe. It contains exploits for: Integer overflow vulnerability in Adobe Flash Player, described in CVE-2007-0071; MDAC ADODB.Connection ActiveX vulnerability described in MS07-009; Microsoft Office Web Components vulnerabilities described in MS09-043; Microsoft video ActiveX vulnerability described in MS09-032; and Internet Explorer Uninitialized Memory Corruption Vulnerability described in MS09-002.

“Successful exploit will silently download the file upload.css (W32.CSSExploit.Trojan detected by Bkav) and install it on users’ computers,â€Â￾ warn the Bkis analysts. The .css extension is misleading and the file is actually a Win32 executable, which installs a virus. The malware has backdoor capabilities and Bkis suspects that it is of Chinese origin.

As always, users are advised to make sure that all software on their computers is up to date, especially the operating system, browsers and popular applications such as Adobe Flash Player, Adobe Reader or Java. Also, no one should be surfing the web without a reliable and up-to-date antivirus solution running on their computer.