X-Labs
May 25, 2010

Chinaz.com compromised

Forcepoint Security Labs

Websense Security Labs™ ThreatSeeker™ Network has discovered that the speed testing site of chinaz.com has been compromised.

Chinaz.com is a very famous Web master site that provides technical and resource downloading services in China. The daily traffic to this site is over 50,000 hits, and it has a very high Alexa rank of 179. The injected subdomain speed.chinaz.com is the page that supplies tools for testing the speed of Web sites.

A snapshot of the compromised site is shown below:

This site first redirects to a JavaScript file in its own path, as shown below:

Also shown below is the malicious code injected by the cyber-criminals as opposed to the JavaScript file:

The payload of the injected site:

This payload contains two parts: ap.js, and the obfuscation code in the script tag. When combined, we get the entire exploit code. After analyzing this, we noticed that it is used to target the IE vulnerability (MS10-018), which downloads an executable file named dn.exe. This has a good detection rate by most  AV vendors; however dn.exe will download and execute remote files and send local information to a remote server.  The process disguises itself as an AV component while at the same time suspending the AV software. At present, a bug in the malicious code fails to get the MAC address correctly and as of this alert the site is still infected.

Websense Messaging and Websense Web Security customers are protected against this attack.

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.

Forcepoint Security Labs

These posts are based on research done by Forcepoint's X-Labs.

Read more articles by Forcepoint Security Labs