Tuesday, April 22, 2008

Malaysia Tourism, visit the malwares!!!!!

If you are security.org.my reader, you may find the latest post about Malaysia Tourism Website is serving malwares to everyone. This is not big surprise as Malaysia Internetwork is largely contributing to malwares distribution globally according to Google.

So this "Malaysia Can" spirit continues, we are distributing malwares to people around the world efficiently. I'm wondering how much our lovely government has spent to setup and maintain the web sites, let us know if you have clue.

Enough crap, lets look at the term of usage in the Tourism Malaysia website -

All the information contained herein is correct at the time of publication. Whilst every effort has been made to ensure the accuracy of the contents, Tourism Malaysia shall not be held liable for any errors, omissions or inaccuracies which may occur.

That's great, don't blame them as they have thrown the best effort!

Now time to do some analysis by looking at these two scripts -

http://www.852599.cn/mp3/list.htm
http://www.852599.cn/mp3/MZ.htm

The MZ.htm is the java script, here's the content -

This looks like the black hat SEO technique that quite commonly used by China and Russia hackers which we have seen to increase the counter stat, and of course the charset does tell the story here. On the other hand, the file list.htm doesn't look to be so straight forward to understand -

I truncated the line t="68,105,109....." so that it can be read properly here. The list.htm is VBScript and that's why it won't work on other browsers except Internet Explorer. If you look at the last line, it calls MZ.htm using iframe technique. In order to know what this VBScript, we have to de-obfuscate it and the easiest way is to replace the function execute to msgbox so it looks like this -

msgbox(rechange(t))

Then load the file to Internet Explorer and viola, check out the screenshot below -


Now we can find the location of the malware -

http://www.852599.cn/mp3/setup.exe

I downloaded the executable file and tried to scan it using ClamAV with no result, therefore I uploaded it to Virustotal to scan through different Antivirus Softwares. The result is decent, out of 31 types of Antivirus Software, only 12 recognize it as malware. If any of users who are using those Antivirus Softwares that still don't detect it, congratulations! The result of scanning is here.

I would like to thank to my friend - tehtb who is the decent Windows Programmer, I was silly to tell him maybe we can use print function and he pointed me out msgbox function works well here.

Enjoy (;])

6 comments:

SysAdmin said...

I just submit that file to ClamAV, hope they can update the virus definition.

Anonymous said...

actually two yrs ago i have sent email and warn them regarding their website contain sql injection vulnerability, but seem like they didn't take my advice

C.S.Lee(geek00L) said...

hi anonymous,

They are famous of playing ignorance .....

Anonymous said...

@geek00l: haha, is it? :)

vietnamsecurity said...

hello, i am vietnamese, i saw some sie have iframe link to a china website, i want know why hacker china can add a iframe to my website, can you help me?, many site have iframe but i don't know why ?
my email: vietnamsecurity@gmail.com

Anonymous said...

@vietnamsecurity, already drop u an email, hope it will help.