In this section

• Home
• Security
• SophosLabs blog
• 2007
• 08

• Analyses
• SophosLabs
• SophosLabs blog
• Spyware and adware
• Top 10 malware
• Hoaxes
• Technical papers
• Email notification
• Best practice
• White papers
• Web seminars
• Podcasts
• Hot topics

1 August 2007 10:51 GMT

Germany calling

Early this morning I noticed a report suggesting that a fairly popular UK site had been compromised. Nothing particularly unusual there given recent trends. I set about confirming the report - the site was indeed compromised, with a malicious JavaScript (detected as JS/Dload-E) that silently loads more malicious content from a remote server when a victim views the page. I set about contacting the owner of the compromised site to inform them of the problem, and offer assistance with cleanup.

Anticipating the ‘What was the purpose of the compromise?‘ question, I quickly analysed the attack. The various stages are listed below:

• Drive-by: web pages compromised with malicious JavaScript (detected as JS/Dload-E) to load further malicious content from a remote server
• Exploits: remote server (located in Frankfurt, Germany) loaded with a malicious script (detected as Troj/JSXor-Gen) intended to exploit several browser vulnerabilities in order to download and execute a malicious Win32 PE file (from the same server)
• Win32 Trojan 1: malicious PE file (detected as Mal/Binder-C) that drops/injects malicious code to download another Win32 PE file
• Win32 Trojan 2: malicious PE file (again, detected as Mal/Binder-C) that drops/injects the malicious Cimuz Trojan
• Cimuz: this well known family installs as a BHO, and once running monitors browser activity in order to steal credentials. The variant investigated here harvested data from the system (eg. email server credentials and saved browser data) in addition to sniffing for credentials when the victim authenticates with several online services (including MSN Explorer, Bank of America, Postbank, e-gold and eBay)
• Send stolen data: via a HTTP request to a remote server. The server IP suggests it is also based in Frankfurt, Germany

So, all in all, a classic drive-by scenario really, similar to ones we have seen before. Pleasingly, all the components of the attack were pro-actively detected so the only actions required were to add rules to the WS1000 appliance in order to block access to the remote servers.

The attack is just another example of the complex and coordinated nature of modern malware.

At the time of writing, I have not heard back from the owner of the compromised site (and it is still serving up the malicious script)… Over the past few months I have contacted many site owners to inform them that their site has been compromised. Given the general lack of response (even from quite large businesses) and persistence of malicious code on the sites, my impression is that most folk don’t really care, probably due to ignorance about the underlying problem.

With the rapid growth of site compromising come several important repercussions, including:

• Responsibility. Who should take ownership of the problem, and its resolution - the site owner or the ISP?
• Site cleanup. The site should be taken offline, and necessary pages, databases etc cleaned up.
• Site security. Just performing cleanup is not sufficient - the site will very likely be compromised again in the exact same manner. The source of the attack needs to be identified and the hole closed.

These considerations are a topic for another blog posting.

Fraser Howard, SophosLabs UK

• Bookmark with del.icio.us
• Submit this story to digg
• Submit this story to slashdot