Home / malware Exploit.SinaDLoader.B
First posted on 21 November 2011.
Source: BitDefenderAliases :
Exploit.SinaDLoader.B is also known as Exploit:JS/Axdow.A, JS.ActiveXploit.Gen,Trojan-Downloader.JS.Agent.di.
Explanation :
The exploit keeps the new trend found in recent sites that host malware in order to infect computers. It tries a number of exploits in order to infect the user. If one of them doesn't succeed, then try and try again.
Here is an enumeration of the exploits used :
Snapshot Viewer Control.1 . The mechanism is described here ( used by another script that exploits a vulnerability in the ActiveX control for the Snapshot Viewer ) . With this exploit it tries to download a file onto the affected computer to the following path ([c or d or e drive] :Program Files/Outlook Express/wab.exe ) from the following address : xxx.xiazail?.com/mas1.css. Although it has the extension "css" (Cascading Style Sheets used for formating html ), it is an executable file.DownloadAndInstall exploit used to download http://zxc.11se??.com/mas1.exe which is the same file mentioned earlier, only that this time it has the extension "exe".Adodb.Stream exploit which creates an invisible iframe to http://222.213asd??.com/ms06014.js which in turn downloads and executes the same file that I talked about from the same address discused over the first point. The file is saved on the computer in "..\ntuser.com" (parent folder of your browsers).ShockwaveFlash.ShockwaveFlash.9 exploit that serves a certain SWF file acording to the version installed on the user's machine, in form of an embeded object. The code looks like this : "<embed src="http://222.213asd??.com/'+[variable_that_stores_part_of_version]+'.swf"></embed>" .UUUpgrade ActiveX Control module--update exploit (UUUPGRADE.UUUpgradeCtrl.1 component) which downloads http://222.213asd??.com/UU.iniLianzhong chat room (GLIEDown.IEDown.1) exploit which downloads "http://222.213asdas.com/GLWORLD.html" that again downloads trough another exploit (buffer overflow) this file http://xxx.xiazail??.com/mas1.css (the same "old" malware file ).
A RealPlayer exploit ( IERPCtl.IERPCtl.1 component ) which, for versions lower than 6.0.14.552, pushes this script 222.213asd??.com/real.js that takes a different approach for distinct versions. If the user has a newer version it creates an invisible iframe with "http://222.213asd??.com/Real11.html" which downloads http://xxx.xiazail??.com/mas1.css.Baidu Search Bar (BaiduBar.Tool) exploit using vulnerable "DloadDS" function that refers to a "http://222.213asd??.com/Baidu.cab" and "Baidu.exe" inside the "CAB" archive. Xunlei Thunder exploit (ActiveXObject DPClient.Vod) with another invisible iframe that leads to 222.213asd??.com/Thunder.html, unavailable at the time of analysis.
The files I mentioned numerous times mas1.css or mas1.exe, are actually the same file. It is a small downloader (1900 bytes) packed with FSG, which downloads 5640ghi?.com/max1.exe (unfortunately unavailable at the time of analysis) and is detected as Generic.Malware.dld!!.8EC79AB8.
As you see, there is a long line of scripts/executable that tries to download the "final" malware. It is a hierarchy of exploits that take advantage of different flaws of applications. Thus you should always keep the applications you use updated and the antivirus product up to date.Last update 21 November 2011