Starting Oct 9th, we've been tracing an mass injection attempt. Currently, there's been 180,000 affected pages, according to Google.
The attack targets visitors of six particular languages--English, German, French, Italian, Polish, and Breton, seen from the following deobfuscated script:
Here is a text version of the above decoded script.
The scripts causes the visiting browser to load an iframe first from www3.strongdefenseiz.in and then from www2.safetosecurity.rr.nu. Multiple browser-based drive-by download exploits are served depending on the visiting browser.
In a drive-by download attack, visitors who navigate to the infected websites will be installed with malware on their machines without their knowledge. This is if they have outdated browsing platforms (browser or Adobe PDF or Adobe Flash or Java etc).
This wave of mass injection incident is targeting ASP ASP.NET websites.
Currently, the 6 out of 43 antivirus vendors on VirusTotal can detect the dropped malware.
jjghui.com resolves to IP 146.185.248.3 (AS3999), which is in Russia. www3.strongdefenseiz.in resolves to 75.102.21.121 (AS36352), which is in the US and hosted by HostForWeb.com. www2.safetosecurity.rr.nu resolves to IP 67.208.74.71 (AS33597), which is in the US and hosted by InfoRelayOnlineSystems.
The dropped malware attempts to connect to: 65.98.83.115 (AS25653), which is in the US.
[Details]
1. ASP and ASP.NET websites are injected with the following script (text is here):
2. Contents of urchin.js is as seen below; full text is here.
3. The above script decodes to the following:
Here is a text version of the above decoded script.
4. The above script generates an iframe to www3.strongdefenseiz.in, which gives an HTTP 302 redirect to the exploit server at www2.safetosecurity.rr.nu.
Read more (rest of article)...
