AegisLab has found that "" contains a drive-by-download page(Figure 1). Once innocent people visited this page, they will be forced to download the malicious file. the analysis is as following:

Figure 1.


# index.html: contains 2 .js files, top.js and baidu statistics.

# top.js: check cookie first. If the cookie exists, then execute the attack script; if doesn't exist, set the cookie and use iframe to load "topp".html.

# topp.html

    1. Check the cookie if exists? if no, launch attack and goto step2 !

    2. Check the browser if it is IE on Windows XP? if yes, goto step3.

    3. If IE ver.< 7, execute AAAA function and use iframe to load "ie6.html".

    4. If IE ver. = 7, execute BBBB function and use iframe to load "ie.html".

    5. If IE ver. >= 8, execute CCCC function and use iframe to load "fun.html". 

    6. set cookie to avoid 2nd browsing and keep hiding!

# ie6.html and ie.html

    Execute exp() by DOM access.



    Once executed, then download malicious file "test1.exe"

# fun.htm

    Download "test.exe"

The attack path is listed as below. 




The detection rate of "test1.exe" is 2.4% (1/42) in VirusTotal.  

The detection rate of "test.exe" is 76.7% (33/43) in VirusTotal.

The detection rate of this malicious link is 0% (0/23) in 

Since 20/05/2011,  AegisLab WebGuard has blocked this malicious site.

By AegisLab