Alert level

Trojan:JS/Redirector.H


Encyclopedia entry
Updated: May 31, 2008  |  Published: May 27, 2008

Aliases
  • JS/TrojanDownloader.Iframe.NAI (ESET)

Alert Level (?)
Severe

Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.
Detection initially created:
Definition: 1.45.287.0
Released: Oct 07, 2008

Summary

Trojan:JS/Redirector.H is detection for specific JavaScript contained within Web pages. This JavaScript trojan may be injected into an HTML page via an SQL injection attack, or may be present on a malicious Web site, and may redirect users to Web sites other than expected. It is also possible for an attacker to craft HTML-based e-mail messages containing the script.

Top

Symptoms

There are no common symptoms associated with this threat - links are activated within IFrames while viewing Web content on maliciously modified pages. Alert notifications from installed Antivirus software may be the only symptom(s).

Top

Technical Information (Analysis)

Trojan:JS/Redirector.H is detection for specific JavaScript contained within Web pages. This JavaScript trojan may be injected into an HTML page via an SQL injection attack, or may be present on a malicious Web site, and may redirect users to Web sites other than expected. It is also possible for an attacker to craft HTML-based e-mail messages containing the script.
 
The destination Web page of the redirect may contain specially formed IFrame tags that point to remote Web sites containing other malicious content, for example malicious JavaScript containing an exploit for a specific vulnerability. 
Installation
This trojan has been found inserted into numerous Web pages via a blanket SQL injection attack, using an automated tool.
Payload
IFrame Code Execution
Trojan:JS/Redirector.H may execute another script within an IFrame named "am6.htm" or "am7.htm". The referenced script (detected as "Exploit:JS/Repl.B") may contain five or more exploits executed within IFrames:
 
 
The IFrames itemized above use the following execution methods:
  1. This IFrame executes a Microsoft Data Access Component (MDAC) ADO ActiveX control known as "RDS.DataSpace". This control contains a vulnerability that could allow the execution of arbitrary code on systems that have not updated with Microsoft Security Bulletin MS06-014. The IFrame references an HTML script named "ax14.htm" (ActiveX MS06-014) which is identified as "TrojanDownloader:JS/Psyme.BA" or "TrojanDownloader:VBS/Psyme.gen!E".
  2. This IFrame executes an ActiveX control for "RealPlayer" known as "IERPCtl". This control contains a buffer overflow vulnerability that could allow the execution of arbitrary code on systems that have not updated with a security patch update from RealNetworks. There are two IFrames that are referenced, executing "re10.htm" (RealPlayer 10 exploit) and "re11.htm" (RealPlayer 11 exploit) - both are identified as "Exploit:JS/Repl.C" or "Exploit:HTML/Repl.D"
  3. This IFrame executes an ActiveX control for "Ourgame GLWorld" known as "GLAvatar". This control contains an undisclosed (0 day) vulnerability that could allow the execution of arbitrary code. This IFrame references an HTML script named "axlz.htm" (ActiveX Lianzong game platform) identified as "Exploit:JS/Gdow.A". See "GLAvatar Control" in "Additional Information" for more about this vulnerability.

    A variant of this IFrame executes an ActiveX control for "Ourgame GLWorld" known as "GLIEDown". This control contains a vulnerability that could allow the execution of arbitrary code. This variant also references an HTML script named "axlz.htm".
  4. This IFrame executes an ActiveX control for "Baofeng Storm StormPlayer" known as "MPS.StormPlayer". This ActiveX control contains multiple remote buffer overflow vulnerabilities that could allow the execution of arbitrary code in systems running Storm versions prior to 2.7.9.10, as mentioned on various security forums and Web sites. This IFrame references an HTML script named "bb.htm" which is identified as "Exploit:Win32/Senglot.J".
  5. This IFrame executes an ActiveX control for "Xunlei Thunder DapPlayer" known as "DPClient.vod". This ActiveX control contains a buffer overflow vulnerability(CVE-2007-5064) that could allow the execution of arbitrary code. According to FrSIRT, there is no known update to mitigate this vulnerability. This IFrame references a file "xl.gif" (Xunlei) however the file was unavailable at the time of this writing.
 
Additional Information
GLAvatar Control
This vulnerability is considered a 0 day exploit and it joins three other known vulnerabilities in the GLWorld online game application:
  • CVE-2008-0647: Multiple Buffer Overflow Vulnerabilities within "HanGamePluginCn18.dll"
  • CVE-2007-5722: Stack-based Buffer Overflow Vulnerability within "GLChat.ocx"
  • Bugtraq ID 29118: Ourgame ActiveX Control Remote Code Execution Vulnerability within "GLIEDown2.dll"
 
Analysis by Cristian Craioveanu & Patrick Nolan

Top

Prevention

Take the following steps to help prevent infection on your system:
  • Enable a firewall on your computer.
  • Get the latest computer updates.
  • Use up-to-date antivirus software.
  • Use caution with attachments and file transfers.
  • Additional SQL Server Resources
Enable a firewall on your computer
Use a third-party firewall product or turn on the Microsoft Windows XP Internet Connection Firewall.
To turn on the Internet Connection Firewall in Windows XP
  1. Click Start, and click Control Panel.
  2. Click Network and Internet Connections. If you do not see Network and Internet Connections, click Switch to Category View.
  3. Click Change Windows Firewall Settings.
  4. Select On.
  5. Click OK.
To turn on the Windows Firewall in Windows Vista
  1. Click Start, and click Control Panel.
  2. Click Security.
  3. Click Turn Windows Firewall on or off.
  4. Select On.
  5. Click OK.
Get the latest computer updates
Updates help protect your computer from viruses, worms, and other threats as they are discovered. You can use the Automatic Updates feature in Windows XP to automatically download future Microsoft security updates while your computer is on and connected to the Internet.
To turn on Automatic Updates in Windows XP
  1. Click Start, and click Control Panel
  2. Click System.
  3. Click Automatic Updates.
  4. Select a setting. Microsoft recommends selecting Automatic. If you do not choose Automatic, but you choose to be notified when updates are ready, a notification balloon appears when new downloads are available to install. Click the notification balloon to review and install the updates.
Use up-to-date antivirus software
Most antivirus software can detect and prevent infection by known malicious software. To help protect you from infection, you should always run antivirus software that is updated with the latest signature files. Antivirus software is available from several sources. For more information, see http://www.microsoft.com/protect/computer/viruses/vista.mspx.
Use caution with attachments and file transfers
Exercise caution with e-mail and attachments received from unknown sources, or received unexpectedly from known sources.  Use extreme caution when accepting file transfers from known or unknown sources.
Additional SQL Server Resources
Additional SQL Server resources and recommendations are available from the following sources:

Top

Recovery

Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as the Microsoft online scanner (http://safety.live.com). For more information, see http://www.microsoft.com/protect/computer/viruses/vista.mspx.
 
It may be possible to prevent vulnerable ActiveX controls from running in Internet Explorer by modifying the data value of the Compatibility Flags DWORD value for the class identifier (CLSID) of the ActiveX control.
 
Please note that serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow any provided steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, view Microsoft Knowledge Base Article KB322756.

Top