Comments on: NewGeoCheck.js and Malicious AddThiss .net Iframe http://blog.unmaskparasites.com/2010/05/19/newgeocheck-js-and-malicious-addthiss-net-iframe/ Website insecurity by example Sun, 05 Feb 2012 10:06:25 +0000 http://wordpress.org/?v=2.9.1 hourly 1 By: Denis http://blog.unmaskparasites.com/2010/05/19/newgeocheck-js-and-malicious-addthiss-net-iframe/comment-page-1/#comment-9949 Denis Mon, 25 Oct 2010 18:31:55 +0000 http://blog.unmaskparasites.com/?p=626#comment-9949 One more domain used by this attack <strong>freecheck .info</strong> One more domain used by this attack
freecheck .info

]]> By: MK http://blog.unmaskparasites.com/2010/05/19/newgeocheck-js-and-malicious-addthiss-net-iframe/comment-page-1/#comment-7516 MK Fri, 21 May 2010 13:28:58 +0000 http://blog.unmaskparasites.com/?p=626#comment-7516 I can confirm that this malware is placed on the accounts via stolen FTP credentials as well. I have come across a few of these over the past few days. A decode if one of the recent ones can be found here: http://jsunpack.jeek.org/dec/go?report=105b584bde1eb180d2aaa92d44d7e5cb9baae8cb I can confirm that this malware is placed on the accounts via stolen FTP credentials as well. I have come across a few of these over the past few days. A decode if one of the recent ones can be found here: http://jsunpack.jeek.org/dec/go?report=105b584bde1eb180d2aaa92d44d7e5cb9baae8cb

]]> By: Denis http://blog.unmaskparasites.com/2010/05/19/newgeocheck-js-and-malicious-addthiss-net-iframe/comment-page-1/#comment-7515 Denis Thu, 20 May 2010 17:37:44 +0000 http://blog.unmaskparasites.com/?p=626#comment-7515 Thanks Thomas, This confirmation is really important as it lets webmasters of compromised sites focus on the security issues of their own computers and protecting their site credentials. Thanks Thomas,

This confirmation is really important as it lets webmasters of compromised sites focus on the security issues of their own computers and protecting their site credentials.

]]> By: Thomas J. Raef http://blog.unmaskparasites.com/2010/05/19/newgeocheck-js-and-malicious-addthiss-net-iframe/comment-page-1/#comment-7512 Thomas J. Raef Thu, 20 May 2010 14:39:41 +0000 http://blog.unmaskparasites.com/?p=626#comment-7512 Denis, As always, your research is invaluable to the Internet - nice job. We have seen this attack as well and in every case, we see the corresponding entries in the FTP logs showing that a stolen FTP account was used. We didn't see a long list of login attempts with incorrect passwords just a straight login with a valid FTP account which leads us to believe that the password was stolen. We've also seen a second type of malscript in the newgeocheck.js file. It starts with: <code>this.hB="";var geoCheck;this.secureF="secureF";var qPY;if(qPY!='rCheckO' && qPY!='checkSecureC'){qPY='rCheckO'};geoCheck="afabaea...</code> It had the exact same comment section as the one you identified above, but the code was entirely different. However, it does still decode to the same iframe: <code></code> Again, great research! Denis,

As always, your research is invaluable to the Internet – nice job.

We have seen this attack as well and in every case, we see the corresponding entries in the FTP logs showing that a stolen FTP account was used. We didn’t see a long list of login attempts with incorrect passwords just a straight login with a valid FTP account which leads us to believe that the password was stolen.

We’ve also seen a second type of malscript in the newgeocheck.js file.

It starts with:
this.hB="";var geoCheck;this.secureF="secureF";var qPY;if(qPY!='rCheckO' && qPY!='checkSecureC'){qPY='rCheckO'};geoCheck="afabaea...

It had the exact same comment section as the one you identified above, but the code was entirely different. However, it does still decode to the same iframe:

Again, great research!

]]>