Jiri Sejtko

21 May 2009

Rogue malware ranking

Go to comments Leave a comment

Nowadays the internet is full of hacked websites that redirect browsing users to various malware distribution networks. Website hacking consists basically of adding an iframe, script tag or some more sophisticated javascript to the clean code. These methods are dependent only on the reputation of infected domains. Last week (2009-05-13) we released the detection signatures of one interesting redirector - Its name is JS:Redirector-I [Trj]. The source is a type of Rogue malware which is comonly known to use social engineering to spread. Now we can talk about ’search engine related’ social engineering. The redirector itself doesn’t look particularly sophisticated - simple code is hidden as shown in next image:

All the script functionality is hidden, but nothing new can be found after "unhiding" the script. There are simple decisions about the referrer and creation of the new url to which the browser will be redirected. The unpacked redirection script is shown in the next image (for security reasons the target url has been removed):


The only way to be redirected by this script is to arrive via any of the tested search engines. This means that the user must enter the correct conditions for the search engine to offer at least one of the infected URLs. How it is done? Let’s see the full hack - it consists of more than 200 html files and one javascript file. The directory structure is shown in the next image (only the beginning and end of the structure is shown):


Two randomly named directories are created during the hack and all the files are placed into the second subdirectory. The filenames of the html files say what’s inside - let’s look inside zimbabwe.htm:


The image above shows that the html files contain many keywords and phrases to fool search engines and their indexers. Let’s google with the phrase shown in the red box:


The hacked website is presented third, which means we were searching by criteria that the hackers were expecting. Just one click and the user’s computer will be redirected to install new Rogue malware. Finally here is the detection score of the javascript redirector (http://www.virustotal.com/en/analisis/57c5698d1677ba219baf95817f5b87fd):


behavior of JS:Redirector-I [Trj]:

  • doesn’t affect the hacked website, just hijacks its space to ambush unsuspecting visitors
  • fools search engines to serve the hacked urls
  • redirects to Rogue malware servers
  • accepts only the most used search engines as referers