AegisLab has found that "www.ezsaving.com.tw" contains a drive-by-download page(Figure 1). Once innocent people visited this page, they will be forced to download the malicious file. the analysis is as following:

Figure 1.

 

# index.html: contains 2 .js files, top.js and baidu statistics.

# top.js: check cookie first. If the cookie exists, then execute the attack script; if doesn't exist, set the cookie and use iframe to load "topp".html.

# topp.html

    1. Check the cookie if exists? if no, launch attack and goto step2 !

    2. Check the browser if it is IE on Windows XP? if yes, goto step3.

    3. If IE ver.< 7, execute AAAA function and use iframe to load "ie6.html".

    4. If IE ver. = 7, execute BBBB function and use iframe to load "ie.html".

    5. If IE ver. >= 8, execute CCCC function and use iframe to load "fun.html". 

    6. set cookie to avoid 2nd browsing and keep hiding!

# ie6.html and ie.html

    Execute exp() by DOM access.

    <BUTTON ID='EXP' STYLE='DISPLAY:NONE'></BUTTON>

    document.getElementById('EXP').onclick();

    Once executed, then download malicious file "test1.exe"

# fun.htm

    Download "test.exe"

The attack path is listed as below. 

[root]hxxp://www.ezsaving.com.tw/bbs/forumdata/cache/coon/web/index.html
    [script]hxxp://www.ezsaving.com.tw/bbs/forumdata/cache/coon/web/top.js
        [iframe]hxxp://www.ezsaving.com.tw/bbs/forumdata/cache/coon/web/topp.html
        [exp]hxxp://www.ezsaving.com.tw/bbs/forumdata/cache/coon/web/ie6.html
            [virus]hxxp://www.update-onlines.org/ma/test1.exe
        [exp]hxxp://www.ezsaving.com.tw/bbs/forumdata/cache/coon/web/ie.html
            [virus]hxxp://www.update-onlines.org/ma/test1.exe
        [exp]hxxp://www.ezsaving.com.tw/bbs/forumdata/cache/coon/web/fun.htm

            [virus]hxxp://www.update-onlines.org/ma/test.exe 

 

The detection rate of "test1.exe" is 2.4% (1/42) in VirusTotal.  

The detection rate of "test.exe" is 76.7% (33/43) in VirusTotal.

The detection rate of this malicious link is 0% (0/23) in URLVoid.com. 

Since 20/05/2011,  AegisLab WebGuard has blocked this malicious site.

By AegisLab