hacked, infecting visitors with malware

(Credit: Wayne Huang, Chris Hsiao, NightCola Lin)
Our HackAlert 24x7 Website malware monitoring platform today indicated that has been hacked and is currently serving malware. The highlighted section of the above screenshot is the injected script. Below is a video showing how visitors are infected when navigating to the site:

[Infection Chain]

Step 1:

Causes the visiting browser to load the following:

Step 2:

This is the injection point. The entire content of the above .js file can be found here.

The injected section is shown in the above screenshot. The decoded version is as follows:
The text version is available here. This script generates an iframe to Step 3.

Step 3:

Throws out a 302 redirect to Step 4.

Step 4:

This domain hosts the BlackHole exploit pack. It exploits the visitor's browsing platform (the browser, the browser plugins like Adobe Flash, Adobe PDF, etc, Java, ...), and upon successful exploitation, permanently installs a piece of malware into the visitor's machine, without the visitor's knowledge. The visitor doesn't need to click or agree to anything; simply visiting with a vulnerable browsing platform will result in an infection.

Currently, 4 out of 44 vendors on VirusTotal can detect this piece of malware.

[The Attacker]

We don't know much at this point. The following are information regarding the associated malicious domains. (Step 3)
Location: Germany / Berlin
Created On:20-Jun-2011 13:17:05 UTC
Sponsoring Registrar:Transecute Solutions Pvt. Ltd. (R120-AFIN)
Registrant Street1:7880 SW 132 STREET
Registrant City:MIAMI
Registrant State/Province:Florida
Registrant Postal Code:33156
Registrant Country:US
Registrant Phone:+1.3053771635
Admin ID:TS_14483505
Admin Organization:N/A
Admin Street1:7880 SW 132 STREET
Admin Street2:
Admin Street3:
Admin City:MIAMI
Admin State/Province:Florida
Admin Postal Code:33156
Admin Country:US
Admin Phone:+1.3053771635
Admin Phone Ext.:
Admin FAX:
Admin FAX Ext.:
Name Server:NS1.SKYNS1.NET
Name Server:NS2.SKYNS1.NET (Step 4)
Location: Sweden / Stockholm

The website is as of now, still serving this exploit and malware.

We're in the process of contacting If anyone have contacts to them, please drop us an email at

PS: Armorize is hiring presales in the bay area:

Read more (rest of article)...