October 19, 2011

Imperva's Tomer Biton examines a new mass script injection attack targets ASP ASP.NET websites.  As usual, this is a major technical dissection.


First, by searching the javascripts payload names in Google we can see the mass of the infected pages (click image to BIGGIFY):


 The injection includes iframes to one of the following javascripts payloads to two sites (URLs not listed).

 The Injected Script (click image to BIGGIFY):


Now, let's deobfuscate the script:


The script targets visitors of 6 particular languages:

  • en = English,
  • de = German (Standard).
  • Fr = French
  • It = Italian
  • Pl = Polish
  • Br = Breton (yes, for real).

The redirector:

We can see the ‘go_to’ statement that redirects the visitor’s browsers to www3.strongdefenseiz.in domain:


By robtex.com:

strongdefenseiz.in returns 302 redirection response with one of the following domains: 

  • hXXp://www2.strong-dvmaster.rr.nu
  • hXXp://www2.simple-guardo.rr.nu

 How do you like your malware?

We were able to identify 3 different scripts from above domains. The scripts are downloaded as a gzip encoded.  However, with the Malzilla tool we can see get them in a better view (click image to BIGGIFY):

Once the scripts get executed in the visitor’s browser one of the following pages loads (click images to BIGGIFY):

Script # 1: Top 10 Famous Celebrity Sex Scandals


Script #2: Emma Watson never seen before home video


Script #3: Scarware/Fake Anti-Virus


What About The Malware?

The malware's main characteristics include:

  • FileSize: 292.00 KB (299013 bytes)
  • MD5: 8DACD674BF9F7A08BFF667721E53B106
  • SHA1: 38954871CE0D2249BCFA500F24A00A5FAF93BFA0

The binary presents a layer of UPX compression.  The Section Header is composed as usual by the following sections:

  •  .UPX0
  • .UPX1
  • .rsrc.   

This sample designed to redirect web search results of Bing.com and Google.com.  It uses rootkit techniques to hide its presence from the victim and security products. This is not the first time we see this kind of behavior, malware from the TDSS (TDL3 and TDL4) and ZeroAccess/Serifef families were involved in nearly all cases of those annoying redirects.

I’m guessing, the sample is routing the traffic eventually to Google after monitoring it or logging it for whatever reason.

Once executed the sample creates a service by loading a kernel mode driver – 5640.sys:


 SYSTEM process (PID 4) gets infected by a malicious thread injection (click to BIGGIFY):


The local pharming technique?  The sample modifies locks and set as hidden the system file /etc/hosts (click to BIGGIFY):


After entering ~ 60 CRLF lines also adds the following entries (must pageDn in order to see the entries):


The sample also copies itself to a tmp folder with a .tmp extension:


As described above, the sample is designed to redirect user searches from ‘Google’ and ‘Bing’.  After infection pinging Google.com and bing.com returned the same IP (click to BIGGIFY):   

Before Infection                 After Infection


Whereas Facebook.com is not a target:


Be safe.

Authors & Topics:

Share on LinkedIn


Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment

Comments are moderated, and will not appear until the author has approved them.