Feb 09 2009
The most loyal TDV readers may remember a post from a while back showing some Google searches that turned up more than one hundred Chinese .gov sites with malicious links or defacements. It appears that there are a few more to add to the list as of late. One of the Chinese malware blogs that I follow posted a string of blog posts indicating that .gov sites were gettting compromised and having malware embedded in them.
www.sxfc.gov.cn, www.lfzs.gov.cn and a few non-.gov sites had very similar malware links embedded in them. At the time of this writing, many of the links embedded in the sites are broken but some of the malware is still there for the wget’ing.
After a few redirects, we get to a1.css, which is an FSG packed PE file. It is well detected by antivirus (38/39 on virustotal.com). Nothing too interesting.
The Chinese malware that I have come across is either not packed at all or uses well-known packers like UPX and FSG. What have you TDV readers come across? Any custom packers?