Let’s take a closer look. Here’s the website:
This is the source code. Pay close attention to the scripts between the “Website Tagging” comments. Nothing malicious there right?
But when you save the webpage, the malicious redirect link appears.
Here’s Firebug in action. You can see it there on the far right.
Here’s the beautified version. As you can see it’s nothing fancy. Looks like they’re using a character lookup table.
After you decrypt the script, you get one more obfuscated script. This one is using a compression algorithm that’s similar to Dean Edward’s Packer.
Just change the “eval” up at the top to “alert” and you get the final script.
This is definitely an exploit script targeting Java and Acrobat. The foofranc.co.cc site is distributing the malicious JAR and PDF files inconsistently. When it does succeed, one of the payload files is a downloader. It also collects data from your PC (username, machine name, GUID) and sends it to another site:
Another is rogueware and your PC will also have some functionality disabled as part of the installation.
The third file is a Google search redirector. It will modify the proxy setting on your computer and route traffic to 127.0.0.1:58323 where this program is listening. When certain Google searches are made, the program will redirect the clicked links to one of their sites. Using Firefox and Chrome, depending on its configuration, will also have its Google search results redirected too.
Here’s a quick search for “italian food”:
I clicked on the “Olive Garden” link but got to this site instead:
There’s also two other programs that gets dropped: csrss.exe and dwm.exe . These appear to be variants of the Google search redirector program.
Downloader/Data Collector (6 of 42):
Google Search Redirector (6 of 42):
After the installation was done, the cache contained a few files left over after the malware installation. Two of them were notes left by the hacker:
I need to thank “V”, another member of KahuSecurity who posts articles here on RARE occasions (hint, hint), for doing some of the research on this case.