Focused Malicious Activities

There are several known vulnerabilities in Chinese online media software that allow attackers to download and execute arbitrary files on a victims computer. It seems, most of these have been packed into on big exploit serving threat. The name? Exploit.SinaDLoader.B

Exploit.SinaDLoader.B
We are starting our weekly review with a big and ugly exploit. It’s actually not a real exploit, but more like an exploit serving application. It tries to take advantage of 9 known vulnerabilities in order to download and execute an e-threat detected by BitDefender as Generic.Malware.dld!!.8EC79AB8. Here is a brief description of those exploits:

1. Snapshot Viewer Control.1: This is an exploit of the Microsoft Access Snapshot Viewer ActiveX control. It doesn’t have any obvious symptoms, however the exploit allows an attacker to download any file to an arbitrary location on the victims computer. The downloaded file cannot be launched remotely, however the malware can be places in the users startup folder, so it gets executed automatically when the system reboots.
More information availableon BitDefender site and Microsoft Support.

2. DownloadAndInstall is another ActiveX control manufactured by Sina.Inc which they initially used to download their own applications (mostly video chat software). However it is exploited by attackers to download and run arbitrary files on the victims computer.

3. Adodb.Stream is an exploit for the ADODB.Stream object, that offers the access to binary files on the victims computer. It allows an attacker to create an invisible iframe to http://222.213asd??.com/ms06014.js which in turn will download the malware mentioned above.

4. ShockwaveFlash.ShockwaveFlash.9 is an exploit for the Flash Player prior to version 9.0.124.0. The exploit serves different malformed swf files to the user depending on which Player version he has installed. The files take advantage of a vulnerability in the Player that allows an attacker to download and run arbitrary files on the users computer.

5. UUUpgrade ActiveX Control module–update is an exploit for the UUSee player provided by UUSee.com in order to view the media available on their website. The vulnerability allows attackers to download and save files to arbitrary locations on the users computer.6. Lianzhong chat room (GLIEDown.IEDown.1) which includes http://222.213asdas.com/GLWORLD.html in the website that in turn exploits another vulnerability via javascript and downloads the same malware mentioned above.

7. A RealPlayer exploit (IERPCtl.IERPCtl.1 component ) which, for versions lower than 6.0.14.552, pushes this script 222.213asd??.com/real.js that takes a different approach for distinct versions. If the user has a newer version it creates an invisible iframe with http://222.213asd??.com/Real11.html which again downloads the same threat.

8. Baidu Search Bar (BaiduBar.Tool) exploit that is making use of the vulnerable “DloadDS” function that refers to a *.CAB file on http://222.213asd??.com/Baidu.cab which contains a “Baidu.exe” that is obviously our malware

9. Xunlei Thunder exploit (ActiveXObject DPClient.Vod) with another invisible iframe that leads to 222.213asd??.com/Thunder.html which was not available at the time of analysis however it’s probably downloading the same file.All these exploits download a file named mas1.css or mas1.exe which is a downloader, packed with FSG, for Generic.Malware.dld!!.8EC79AB8.

The point of having all these exploits into one pack is to maximize the chance of infection.

Next on the list is Trojan.Fakeav.BC which is yet another rogue antivirus tool, designed to pickpocket unaware users. It warns of fake infections and asks the victim to buy the product to remove them. The main screen looks like the image below: