Monday, January 07, 2008

Massive RealPlayer Exploit Embedded Attack

This malware embedded attack is massive and ugly, what's most disturbing about it is the number of sites affected, which speaks for coordination at least in respect to having established the infrastructure for serving the exploit before the vulnerability became public :

"One of our readers noted that there are a number of state government and educational sites that appear to have been compromised with the uc8010 domain. Upon review, I see that some of these have already been cleaned up. However, the .gov and .edu sites are only a few of the many many sites that are turned up via google searches for the uc8010 domain. As that domain was only registered as of Dec 28th, compromises of websites probably occurred in the past week."

According to SANS, there are only two domains involved in the attack and however, there's also a third one, namely This attack is nothing else but "embedded malware as usual", javascript obfuscations, multiple IFRAME redirectors to and from internal pages, and scripts within the domains. Let's assess those that are still active :

- returns "ok ^_^" message and loads ( which says "Hello", furthermore, loads; and

The internal structure is as follows : - attempts MDAC ActiveX code execution (CVE-2006-0003) in between the following - javascript obfuscation - real player exploit - javascript obfuscation - unobfuscated real player exploit

- ( - another obfuscation

- says "ok! ^_^ Don't hank me !" but compared to the first two that are still active, this one is down as of yesterday, despite that it still remains embedded on many sites

Detection rate for the unobfuscated exploit :
Result: 17/32 (53.13%) - Exploit-RealPlay; JS/RealPlay.B
File size: 3003 bytes
MD5: a85a28b686fc2deedb8d833feaacef16
SHA1: 0282e945ded85007b5f99ddee896ed5e31775715

Detection rate for the obfuscated exploit :
Result: 11/32 (34.38%) - JS/Agent.AMJ!exploit; Trojan-Downloader.JS.Agent.amj
File size: 2880 bytes
MD5: d363ffca061ebf564340c4ac899e3573
SHA1: 1226d3d9fcc5052a623b481b48443aeb246ab5db

A lot of university, and international government sites continue to be embedded with the script, and so is Computer Associates site according to this article :

"Part of security software vendor CA's Web site was hacked earlier this week and was redirecting visitors to a malicious Web site hosted in China. Although the problem now appears to have been corrected, cached versions of some pages in the press section of show that earlier this week the site had been redirecting visitors to the domain, which has been serving malicious software since late December, according to Marcus Sachs, director of the SANS Internet Storm Center."

Compared to each and every malware embedded attack that I assessed in 2007, including all of Storm Worm's campaigns, they were all relying on outdated vulnerabilities to achieve their success, but this one is taking advantage of the now old-fashioned window of opportunity courtesy of a malicious party enjoying the given the lack of a patch for the vulnerability. Why old-fashioned? Because malware exploitation kits like MPack, IcePack, WebAttacker, the Nuclear Malware Kit and Zunker, changed the threatscape by achieving a 100% success rate through first identifying the victim's browser, than serving the exact exploit. Another such one-vulnerability-serving malware embedded attack was the MDAC exploits farm spread across different networks I covered in a previous post. It's also interesting to note that a MDAC live exploit page was also found within what was originally thought to be a RealPlayer exploit serving campaign only. Shall we play the devil's advocate? The campaign would have been far more successful if a malware exploitation kit was used, as by using a single exploit only, the campaign's success entirely relies on the eventual presence of RealPlayer on the infected machine.