Residual Ramnit threatens the background of popular Chinese Websites

Source: Internet
Author: User

Residual Ramnit threatens the background of popular Chinese Websites

Newspapers not only give us real-time news, but also prevent various vulnerability threats. When we turn from reading paper newspapers sent by the postman to reading news online, we expose ourselves to a dangerous virtual world.

This is one of the top five news websites in our country. Users who browsed the website through IE may be exposed to a VBScript worm that can be constantly replicated on infected machines. Although the beginning of the virus has been controlled, the injected malware still secretly enters one of the popular Chinese websites.

FireEye's dynamic threat intelligence (ASD) discovered a website was damaged and executed VBS/Ramnit for the first time in January 28 this year. This problem still exists. If a user browses a specific webpage and clicks "yes" to Run ActiveX, the user may be threatened.

As shown in, a malicious VBScript is appended to the HTML body. Click to enter this page, the browser loads news content as usual, and the background begins to execute ActiveX control.

 

 

In the following two figures, vbscriptstops a binary file named "“svchost.exe" in the tempfolder and ActiveX is successfully executed. Even if the system is damaged, it tries to connect to the previously related CNC server --fget-career.com.

 

 

 

 

The execution of VBScript and the transfer of W32.Ramnit depend on the user's browser and browser settings. Because Chrome and Firefox do not support VBScript clients, only IE users are vulnerable to such attacks.

Fortunately, the code will not run automatically in the recent IE version. When the browser displays a potential danger similar to ActiveX components, two warnings are displayed.

 

 

 

 

Only when the victim clicks "yes" and the browser blocks the execution, IE starts to execute VBScript in the background, and the user can only see the page of the same time.

Once you click "no" to disable ActiveX components, they will prevent W32.Ramnit intrusion. However, why is this intrusion successful? When a well-known legal website is attacked or targeted by malware, users may trust the website and click "Yes" to be infected with the virus. Therefore, the top 100 most visited websites and the top 25 most popular websites in China are often threatened by this potential.

We have detected this infection in multiple aspects. FireEye's multi-stream detection tracks a complete attack chain and CnC communication. Although the CnC host has been suspended for a long time, the existence of the worm still harms users, not only because it adds itself to all HTML files that can be accessed, adding yourself to the Registry also affects machine performance.

Therefore, when Browsing these web pages, you must be careful about virus infection ~

 

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.