Hidden Malicious Redirector

Normally when you visit a webpage that’s been compromised, you can find the malicious redirect link (e.g. iframe, Javascript) by viewing the HTML source code. On this particular website, the malicious redirect link only appears when the webpage is saved or if you use Firebug.

Let’s take a closer look. Here’s the website:

This is the source code. Pay close attention to the scripts between the “Website Tagging” comments. Nothing malicious there right?

But when you save the webpage, the malicious redirect link appears.

Here’s Firebug in action. You can see it there on the far right.

There must be some Javascript code embedded in the PHP page that’s injecting the iFrame (probably doing an appendChild function). Alright, now let’s have a look at the exploit code.

Here’s the beautified version. As you can see it’s nothing fancy. Looks like they’re using a character lookup table.

After you decrypt the script, you get one more obfuscated script. This one is using a compression algorithm that’s similar to Dean Edward’s Packer.

Just change the “eval” up at the top to “alert” and you get the final script.

This is definitely an exploit script targeting Java and Acrobat. The foofranc.co.cc site is distributing the malicious JAR and PDF files inconsistently. When it does succeed, one of the payload files is a downloader. It also collects data from your PC (username, machine name, GUID) and sends it to another site:

hxxp://foochin[.]co[.]cc/l/da873f2b2c0979a9377d578e4cc9c378c0acce01a1026af601a9e6052900beab/?ver=3&label=24-may-2011-mini&user=Administrator&comp=MyPCName&guid=f8248acd-a91d-4123-a3ff-1c5d2ad7d975&id=8ce8232a63b7ddaac543abe12314ea68fc9af1255e7cb1fc0be8a19be7ab80a

Another is rogueware and your PC will also have some functionality disabled as part of the installation.

The third file is a Google search redirector. It will modify the proxy setting on your computer and route traffic to 127.0.0.1:58323 where this program is listening. When certain Google searches are made, the program will redirect the clicked links to one of their sites. Using Firefox and Chrome, depending on its configuration, will also have its Google search results redirected too.

Here’s a quick search for “italian food”:

I clicked on the “Olive Garden” link but got to this site instead:

There’s also two other programs that gets dropped: csrss.exe and dwm.exe . These appear to be variants of the Google search redirector program.

Downloader/Data Collector (6 of 42):
http://www.virustotal.com/file-scan/report.html?id=b9fc687d577521f847f70d7ded1f6cb3aa4b8f0f7a70b665fced24a172d11700-1306604397

Rogueware (11 of 42):
http://www.virustotal.com/file-scan/report.html?id=b83d8ff744373038d2970bd5a4e7e1297a149916e2dbf881c88b18038e67a87c-1306604273

Google Search Redirector (6 of 42):
http://www.virustotal.com/file-scan/report.html?id=19ac822ce0e4b37ebc74c5705cc657ec31984b8a0c3a4d8085e412607d5c5c04-1306571823

csrss.exe (5 of 42):
http://www.virustotal.com/file-scan/report.html?id=b7c30f1707906d28198bf62a3979f395336f2cbb1e364b3a175b93d5a348bbe2-1306608454

dwm.exe (4 of 42):
http://www.virustotal.com/file-scan/report.html?id=34c20441637483c0f3d9e2981ed4e2f8240d7c0db4758ac57030b9b7a9119afe-1306607976

After the installation was done, the cache contained a few files left over after the malware installation. Two of them were notes left by the hacker:

I need to thank “V”, another member of KahuSecurity who posts articles here on RARE occasions (hint, hint), for doing some of the research on this case.

Posted on: 05/28/2011