U.N site is another victim of SQL injection attacks, when a user browses the site events page, he will get redirected to (www.nihaorr1.com/[removed]). The "1.js" redirects the user to another page "1.htm", once loaded it will try to exploit the following vulnerabilities:
Vulnerability in Kodak Image Viewer Could Allow Remote Code Execution (Critical)
Cumulative Security Update for Internet Explorer (Critical)
Vulnerabilities in Microsoft Content Management Server Could Allow Remote Code Execution
Vulnerability in Vector Markup Language Could Allow Remote Code Execution
Vulnerability in the Microsoft Data Access Components (MDAC) Function Could Allow Code Execution
The Baofeng Storm MPS.StormPlayer.1 ActiveX control heap-based buffer overflow
GLChat Stack-based buffer overflow
Baidu Bar ActiveX Control Remote Command Execution
Real Player RAM Download Handler ActiveX Control
Finally, it will redirect the user to another two pages that serve malwares: (gg.haoliuliang.net/one/ hao8.htm?036) and (gg.haoliuliang.net/wmwm/ new.htm).
Mitigation checklist for system administrators:
- Make sure all windows machines are up-to-date, use WSUS to distribute patches and critical updates. Use Microsoft Baseline Security Analyzer (MBSA) to scan for missed patches and vulnerable security settings.
- Make sure all installed applications and softwares are up-to-date, you can use Secunia Network Software Inspector to check for vulnerable softwares.
- Secure the ActiveX settings of Internet Explorer, check here IE ActiveX security 101. Also check the "ActiveX Killpit App" from Tom Liston of Intelguardians.
- Block all http requests to http://www.nihaorr1.com/blah.js [replace blach.js with 1.js]
- Make sure your Antivirus vendor has signatures for W32/PWStealer1!Generic; PWS:Win32/Lineage.WI.dr; Trojan-PSW.Win32.OnLineGames.ppu; Trojan.PSW.Win32.OnlineGames.GEN