Posted by Haowei Ren, Geok Meng Ong
If you have read Geok Meng and Xiaobo’s blog published in December last year, this would almost seem like a movie sequel. Over the July 4th weekend, an exploit targeting a 0-day vulnerability in the Microsoft Microsoft DirectShow ActiveX object was widely discovered on many Chinese websites.
At the time of research, over a hundred hijacked sites were found to be injected with malicious links that are still actively hosting this trojan. Many of these sites are what you and I would not consider to be “malicious” or “dodgy”. For example, some of them are school websites or the local community club’s website that had been hijacked or infected.
During research, one of the things we found interesting was the web exploit toolkit explicitly checks that the origin of the hyperlinked references do not come from the “.gov.cn” and “.edu.cn” domains, which are used by Chinese government and education sites. If the references are not coming from any of these domains, it starts sending a cocktail of exploits:
- Exploit-MSDirectShow.b (0-day)
Continued @ McAfee Avert Labs Blog