30 May 2010 11:19 PM
Websense Security Labs™ ThreatSeeker™ Network has discovered that the game channel of MOP BBS has been compromised.
Mop.com is one of the largest and most influential forums in China. It was the birthplace of Chinese network culture and has grown into a website with integrated forum, news, games, entertainment etc. together to become a huge multimedia information platform. Mop.com has over 50 million registered users and over 200 million daily views making it the worlds 275th most popular website according to Alexa. The website is especially popular amongst World of Warcraft fans.
The snapshot of the compromised site:
Below is the redirection chain of the site:
The injection code in ajax.js:
The compromise uses a technique often used by BlackHat SEO attackers in that only the visitors who open the page from baidu.com search results, the very popular search engine in China, will get the malicious code. The code then does another check to see if the popular Chinese antivirus software 360 Safeguard is installed. If not installed the code continues to exploit the PC (step 2 in the chain). After that it will go on to redirect to the two URLs shown in step 3. The two sites have the same payload and both utilize the Microsoft Internet Explorer vulnerability MS10-018 to infect the user.
After a quick analysis we found that the shellcode in the exploit will download the executable remote file called 55.exe. The file is encrypted and has very low anti-virus detection. Code from the file can be seen below:
The shellcode in the exploit is then used to decode the file. Below is the encryption algorithm which just uses a single byte XOR with 0x95:
After being decrypted the file is detected as an online game information stealer.
Websense Messaging and Websense Web Security customers are protected against this attack.