From color pink to infectious binary

From color pink to infectious binary

My daughter should be credited (or blamed) with the Cute, Pink, and Infected release.

She was playing games on my computer and suddenly screamed: “The internet has stopped!”

Yes indeed, the browser had shut down on her. All I knew at the time was that this involved some online games and a google search using the word “games” or “hry” (games in Czech).

Back at the office, I started sifting through the list of infected sites for those with “game” or "arcade" in the URL and found quite a few. Even better, there were even two sites, cutearcade.com and hiddenninjagames.com, that looked something like the game sites she had been visiting.

After sending these URLs to Jan Sirmer in the AVAST Virus Lab for analysis, the code behind the color was uncovered. The cutearcade.com site was infected with JS:Redirector and JS:ScriptXE-inf. The malicious code is shown here in the picture to the right. After deobfuscation, it is visible that the redirector is sending visitors to linuxstabs.com, a known malware distribution site from where the final payload of malware is sent out to infected computers. This initial dose of malware was caught by the Script Engine in avast!.

Hiddenjinjagames has been blocked by avast! antivirus since the beginning of September 2011. The Virus Lab detected an “I” frame infection, iframe astrofiber.co.be/showthread.php?t=20070066, placed just before the <HTML> tag.

The site probably is part of an exploit kit which is used to carry out automated ‘drive-by’ attacks. These typically look for a number of vulnerabilities such as unpatched software and attack the weak points they discover. But, we can only say probably, because the URL was not active in early January.

Which leads us to the final paradox: during the first four months of the infection, the number of hits – visits by avast! CommunityIQ members – was consistent. But, as the exploit kit became inactive, the number of visitors dropped sharply. Which makes me think that the malware writers really do know something about children: If it's dangerous, it is attractive.

Related articles

--> -->