Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response

Chinese Earthquake Triggers Web Aftershocks

Created: 03 Jun 2008 16:41:48 GMT • Updated: 23 Jan 2014 18:40:59 GMT
Symantec Security Response's picture
0 0 Votes
Login to vote

From the moment the recent earthquake struck in China on May 12th, mass grief poured out from within the Chinese population at the loss of their loved ones. Many thousands of people have donated their time and money, while some have prayed and expressed their grief using the Web. Unfortunately, as is so often the case in such tragic circumstances, miscreants are all too ready to try and create mayhem and profit from the misfortune of others.

In the weeks following the earthquake, the Symantec Security Response team based in Chengdu discovered that a legitimate Web site [http://]www.85163.cn/q[REMOVED]), which is used for the expression of grief and condolences, had been compromised. The attackers had embedded a malicious IFRAME into the page.

The malicious code pointed to another URL, which in turn caused yet another page to be opened. The latter page contains JavaScript that will attempt to exploit a number of vulnerabilities, including the following:

(BID 25751) Xunlei Web Thunder ActiveX Control DownURL2 Method Remote Buffer Overflow Vulnerability

(BID 25121)
Baidu Soba Search Bar BaiduBar.DLL ActiveX Control Remote Code Execution Vulnerability

(BID 26130)
RealPlayer ierpplug.dll ActiveX Control Import Playlist Name Stack Buffer Overflow Vulnerability

(BID 28157)
RealNetworks RealPlayer 'rmoc3260.dll' ActiveX Control Memory Corruption Vulnerability

(BID 17462)
Microsoft MDAC RDS.Dataspace ActiveX Control Remote Code Execution Vulnerability

(BID 29118)
Ourgame 'GLIEDown2.dll' ActiveX Control Remote Code Execution Vulnerability


Once a computer is compromised in this attack, it is then directed to download an additional small text file from a particular Web domain. This file contains a list of 35 URLs that point to other executable files, which are hosted on another unique Web domain. The threat will attempt to download and execute all of the files listed on those URLs. All of the downloaded files are intended to be used to steal passwords for online games and are being detected as Infostealer.Gampass.

What these opportunistic attacks show is that the people involved in these attacks have no sense of human decency whatsoever and users must remain vigilant at all times, especially when they are at their most vulnerable. The vulnerabilities listed in this article are very real, but the effects of the malicious code that exploits them can be mitigated with some defensive measures. In this sort of situation, please only use well known Web sites of organizations that you trust. Above all, please ensure that your computer is up-to-date with the latest patches, along with updated antivirus software and a personal firewall, if possible.

For further reference on some of the malicious code mentioned:

Downloader

http://www.symantec.com/security_response/writeup.jsp?docid=2002-101518-4323-99

 

Backdoor.Trojan

http://www.symantec.com/security_response/writeup.jsp?docid=2001-062614-1754-99

 

Infostealer.Gampass

http://www.symantec.com/security_response/writeup.jsp?docid=2006-111201-3853-99



Message Edited by SR Blog Moderator on 06-03-2008 01:17 PM