mass infection ongoing

(Credit: Wayne Huang, Chris Hsiao, NightCola Lin)
Starting Oct 9th, we've been tracing an mass injection attempt. Currently, there's been 180,000 affected pages, according to Google.

The attack targets visitors of six particular languages--English, German, French, Italian, Polish, and Breton, seen from the following deobfuscated script:

Here is a text version of the above decoded script.

The scripts causes the visiting browser to load an iframe first from and then from Multiple browser-based drive-by download exploits are served depending on the visiting browser.

In a drive-by download attack, visitors who navigate to the infected websites will be installed with malware on their machines without their knowledge. This is if they have outdated browsing platforms (browser or Adobe PDF or Adobe Flash or Java etc).

This wave of mass injection incident is targeting ASP ASP.NET websites.

Currently, the 6 out of 43 antivirus vendors on VirusTotal can detect the dropped malware. resolves to IP (AS3999), which is in Russia. resolves to (AS36352), which is in the US and hosted by resolves to IP (AS33597), which is in the US and hosted by InfoRelayOnlineSystems.

The dropped malware attempts to connect to: (AS25653), which is in the US.


1. ASP and ASP.NET websites are injected with the following script (text is here):

2. Contents of urchin.js is as seen below; full text is here.

3. The above script decodes to the following:

Here is a text version of the above decoded script.

4. The above script generates an iframe to, which gives an HTTP 302 redirect to the exploit server at

Read more (rest of article)...