|
|
|
The attack, that started on the 9th of October, has been successful in affecting almost 1.5k sites, which have now been blacklisted, and about 80k+ pages on Google index have a JavaScript malware pointing to it, according to Google.
The visitors of six particular languages are highly vulnerable to the attack--English, German, French, Italian, Polish, and Breton, seen from the following deobfuscated script:
This causes the browser to load an iframe with one of two remote sites:
www3.strongdefenseiz.in and www2.safetosecurity.rr.nu. From there, the iframe plants malware on the visitor's PC via a number of browser drive-by exploits.
This exploit will load even if the visitor doesn't open a file or clicks on a link, which makes it perfect as the "affectee" remains unaware of the attack. The attackers are, however, using exploits that have already been discovered with the concerned patches available. Hence, the target can only be achieved if the visitor is using an outdated, unpatched browser without the latest version of Adobe PDF or Adobe Flash or Java.
Currently, only six out of 43 can detect this malware. These are AntiVir, ByteHero, Fortinet, Jiangmin, McAfee and McAfee-GW-Edition.
What is interesting is that the registration information for this domain is the same as the one used on the earlier Lizamoon domains:
Technical Contact:
James Northone jamesnorthone@hotmailbox.com
+1.5168222749 fax: +1.5168222749
128 Lynn Court
Plainview NY 11803
us
jjghui.com resolves to IP 146.185.248.3 (AS3999), which is in Russia. www3.strongdefenseiz.in resolves to 75.102.21.121 (AS36352), which is in the US and hosted by HostForWeb.com. www2.safetosecurity.rr.nu resolves to IP 67.208.74.71 (AS33597), which is in the US and hosted by InfoRelayOnlineSystems.
Which leads us to think that this may be the work of the infamous "Lizamoon mass infection" attackers.
1. ASP and ASP.NET websites are injected with the following script (text is here):
2. Contents of urchin.js is as seen below
3. The above script decodes to the following:
Discovered By: http://blog.armorize.com/2011/10/httpjjghuicomurchinjs-mass-infection.html
Subscribe to our Newsletter and receive updates directly via email - Get Ethical hacking and security tips directly to your inbox. Alternatively you can Join our Hackers Community on Facebook , Google+ and Twitter .
Tags:
Hacking News
Kindly Bookmark it and Share it with Friends:
Rafay Baloch is an Independent security researcher, Internet marketer, Entrepreneur and a SEO consultant, He is the founder of RHA blog and multiple other blogs. Rafay got famous after finding a Remote Code Execution bug inside PayPal for which PayPal awarded him a sum of 10,000$
1 comments :
hai bro can you please tell me,how to put chitika ads on hacking related blog ? i already apply for it .but chitika doesn't approve my content.pls help me bro.Can i expect a post from you to do that?