If you read Geok Meng and Xiaobo’s blogÂ published in December last year, this must almost seem like a movie sequel.Â Over the July 4 weekend, an exploit targeting a zero-day vulnerability in the Microsoft Microsoft DirectShow ActiveX object was widely discovered on many Chinese websites.
At the time of research, over a hundred hijacked sites were found to be injected with malicious links that are still actively hosting this Trojan. Many of these sites are what you and I would not consider “malicious” or “dodgy.”Â For example, some of them are school websites or the local community club’s website that had been hijacked or infected.
When browsing these sites (hijacked site #1), the victim is hyperlinked to hijacked site #2, which seems to act as a proxy. In this case, if someone were to audit the source code of hijacked site #1, he or she would see that the links are connected to sites that look legitimate. Hijacked site #2 is, subsequently, hyperlinked to a malicious site hosting a web exploit toolkit.
During research, one of the things we found interesting was the web exploit toolkit explicitly checks that the origin of the hyperlinked references do not come from the “.gov.cn”Â andÂ ”.edu.cn” domains, which are used byÂ Chinese government and education sites, respectively.Â If the references are not coming from any of these domains, it starts sending a cocktail of exploits including:
- Exploit-MSDirectShow.b (zero-day)
Each of these exploits targets a different application that could be vulnerable–Internet Explorer 6 and 7, DirectShow ActiveX, RealPlayer, Baidu Toolbar–that can be accessed via the Internet Explorer browser.
From past investigations, this toolkit has been widely used on many Chinese hijacked sites this year.Â The attackers may be trying to avoid or delay attention from the Chinese government.
When successful, the attacker installs a downloader Trojan that could download other malware.
This zero-day vulnerability has been verified to affect at least Windows XP systems with Internet Explorer 6.x and 7.x. However, on IE 7, the browser on Windows Vista systems, risky ActiveXÂ objects are blocked by default, which may mitigate this zero-day attack. Users should ensure that their systems are always kept up to date against the older exploits.
The zero-day exploit will be detected as Exploit-MSDirectShow.b by McAfee VirusScanÂ in today’sÂ 5668 DATs.Â The downloader Trojan installed by this exploit can be proactively detected as Generic.dx since the 5567 DATs (released March 28).
We will post more information as we receive it.
(Thanks to our colleague Wei Wang for assistance in this analysis.)