Non-malicious compromise pointing to a benign VBScript!
Last Updated: 2007-08-28 12:55:22 UTC
by Maarten Van Horenbeeck (Version: 3)
Note: please tread carefully here. While we've obfuscated all malicious links, some of them are still live on the internet. Over the weekend we have been working with anti-virus vendors as well as the regional CERT team to have the issue resolved, but we haven't been quite as succesful as we've hoped. This attack doesn't merely apply to the site mentioned, but spreads out over hundreds of compromised sites - so you may feel like filtering the malicious URL mentioned.
At least if you believe everything your neighborhood webmaster tells you... Early last week, the forum of the website of Leuven, a major student town in Belgium, got compromised. National press reported the compromise occurred through so-called SQL infection (sic), after which links to a .cn web server were added. In an interview, an IT representative of the local government stated that the "hack was not malicious. No data on the website was removed, altered or stolen".
Naturally, we want to have a look at what this code does. It's easy to execute VBScripts on the desktop using the Windows Script Host, or WSH, and its tool wscript. The content can just be copied into a vbs file and executed. However, that's not what we want to do here, since the script says EXECUTE. Not a good idea.
So, let's change these commands around a bit. Wscript contains a function that allows you to echo content to the screen in a message box:
So this leaves me wondering why exactly this was a non-malicious compromise ?
UPDATE: By popular request, here is the current AV recognition according to Virustotal. At least one of the two droppers is detected by:
Webwasher-Gateway 6.0.1/20070828 found [VBScript.Vulnerable.gen!High (suspicious)]
Authentium 4.93.8/20070828 found [HTML/IFrame]
F-Prot 184.108.40.206/20070828 found [HTML/IFrame]
Norman 5.80.02/20070828 found [JS/OnlineGames.A]
The actual executable is identified as malicious by:
AntiVir 220.127.116.11/20070828 found [TR/Crypt.FKM.Gen]
Avast 4.7.1029.0/20070827 found [Win32:WOW-FD]
CAT-QuickHeal 9.00/20070825 found [(Suspicious) - DNAScan]
DrWeb 4.33/20070828 found [Trojan.PWS.Wow]
eSafe 18.104.22.168/20070826 found [Suspicious Trojan/Worm]
F-Secure 6.70.13030.0/20070828 found [Trojan-PSW.Win32.WOW.sp]
Fortinet 22.214.171.124/20070828 found [W32/WoW!tr.pws]
Ikarus T126.96.36.199/20070828 found [Trojan-PWS.Win32.WOW.pu]
Kaspersky 188.8.131.52/20070828 found [Trojan-PSW.Win32.WOW.sp]
NOD32v2 2488/20070828 found [Win32/PSW.WOW.SP]
Norman 5.80.02/20070828 found [W32/Wow.BJL]
Sunbelt 2.2.907.0/20070825 found [VIPRE.Suspicious]
Symantec 10/20070828 found [Infostealer.Wowcraft]
TheHacker 184.108.40.206/20070828 found [Trojan/PSW.WOW.sp]
VBA32 220.127.116.11/20070828 found [suspected of Trojan-PSW.Game.9 (paranoid heuristics)]
Webwasher-Gateway 6.0.1/20070828 found [Trojan.Crypt.FKM.Gen]
in order to prevent clients from being infected, you could consider blocking traffic to the xvgaoke.cn domain.
Maarten Van Horenbeeck