Websense Security Labs™ ThreatSeeker™ Network has discovered that the speed testing site of chinaz.com has been compromised.
Chinaz.com is a very famous Web master site that provides technical and resource downloading services in China. The daily traffic to this site is over 50,000 hits, and it has a very high Alexa rank of 179. The injected subdomain speed.chinaz.com is the page that supplies tools for testing the speed of Web sites.
A snapshot of the compromised site is shown below:
The payload of the injected site:
This payload contains two parts: ap.js, and the obfuscation code in the script tag. When combined, we get the entire exploit code. After analyzing this, we noticed that it is used to target the IE vulnerability (MS10-018), which downloads an executable file named dn.exe. This has a good detection rate by most AV vendors; however dn.exe will download and execute remote files and send local information to a remote server. The process disguises itself as an AV component while at the same time suspending the AV software. At present, a bug in the malicious code fails to get the MAC address correctly and as of this alert the site is still infected.
Websense Messaging and Websense Web Security customers are protected against this attack.