Protecting over 200 million PCs, Macs, & Mobiles – more than any other antivirus


June 25th, 2009

Chameleon redirectors

Infections inserted into valid websites are often an iframe/script tag itself, sometimes the simple encryption functions are used and sometimes very complex algorithms are used to hide the redirection process. But all these methods have the same objective – to redirect users to malware distribution websites hosting various exploit packs. There are also infections that are trying to imitate well-known and often used services – mostly Google related services – with Google Analytics being number one. It started with small changes in the urls used by these services, for example “analytics” -> “analitics” and so on. In this article I will describe two new infections that imitate well-known Google service in more complex manner, which at first look seem to be legitimate.

First, I will show the original code used for Google Analytics – the code is shown in the next picture.

google_analytics_orig

JS:Redirector-T [Trj]

This detection was released last week on Tuesday – June 16, 2009. This is a very successful imitation of the original code for Google Analytics. The following image shows the code of the infection.

google_analytics_fake_t

The fundamental difference is shown in the green rectangle. Attribute ‘sr?’ does not exist and even if it is part of the resulting tag it is ignored by the browser. The real source attribute is hidden. It is shown using red arrows – so you can see it is encrypted using simple replace function.

Although our detection is more than a week old, avast! is still the only antivirus that can detect it (GData uses avast! as one of its engines). The following picture is taken from Virustotal.

google_analytics_fake_t_score

Online VT report: http://www.virustotal.com/analisis/8b19b3c9f93cdbba4d74c931ade6072e214d9bae6de2602655dae7eaa1a9861b-1245927996

HTML:IFrame-HM [Trj]

This is actual threat – the detection has been released today in last VPS update – June 25, 2009. Imitation is not as good as in the previous case, but there are elements and keywords taken from Google Analytics too. The following image shows the infection. Labels indicate the sections of the code.

google_analytics_fake_hm

And again, avast! is the only antivirus who protect you from this threat.  Next image is taken from virustotal.

google_analytics_fake_hm_score

And finally online VT report: http://www.virustotal.com/analisis/4db5b2f6303f88ecb8bf851308214a60493c50a4d465e36c810a6135a8b86d7c-1245954776

  • MadDogMatt

    I’ve goten like 2 of these iFrame in the last few weeks, thank god I have Avast
    Just wanted to say thanks to all of the fine men and woman that work at ALWIL