- Jan 24, 2011
- 9,378
Armorize reveals another mass infection which affected hundreds of thousands of sites that relied on ASP or ASP.NET web application frameworks.
According to Google there are now more than 350.000 infected web pages
The attack targets visitors of six particular languages--English, German, French, Italian, Polish, and Breton, seen from the following deobfuscated script:
The scripts causes the visiting browser to load an iframe first from www3.strongdefenseiz.in and then from www2.safetosecurity.rr.nu. Multiple browser-based drive-by download exploits are served depending on the visiting browser.
In a drive-by download attack, visitors who navigate to the infected websites will be installed with malware on their machines without their knowledge. This is if they have outdated browsing platforms (browser or Adobe PDF or Adobe Flash or Java etc).
This wave of mass injection incident is targeting ASP ASP.NET websites.
Currently, the 6 out of 43 antivirus vendors on VirusTotal can detect the dropped malware.
jjghui.com resolves to IP 146.185.248.3 (AS3999), which is in Russia. www3.strongdefenseiz.in resolves to 75.102.21.121 (AS36352), which is in the US and hosted by HostForWeb.com. www2.safetosecurity.rr.nu resolves to IP 67.208.74.71 (AS33597), which is in the US and hosted by InfoRelayOnlineSystems.
The dropped malware attempts to connect to: 65.98.83.115 (AS25653), which is in the US.
See http://jjghui.com/urchin.js mass infection ongoing
According to Google there are now more than 350.000 infected web pages
The attack targets visitors of six particular languages--English, German, French, Italian, Polish, and Breton, seen from the following deobfuscated script:
The scripts causes the visiting browser to load an iframe first from www3.strongdefenseiz.in and then from www2.safetosecurity.rr.nu. Multiple browser-based drive-by download exploits are served depending on the visiting browser.
In a drive-by download attack, visitors who navigate to the infected websites will be installed with malware on their machines without their knowledge. This is if they have outdated browsing platforms (browser or Adobe PDF or Adobe Flash or Java etc).
This wave of mass injection incident is targeting ASP ASP.NET websites.
Currently, the 6 out of 43 antivirus vendors on VirusTotal can detect the dropped malware.
jjghui.com resolves to IP 146.185.248.3 (AS3999), which is in Russia. www3.strongdefenseiz.in resolves to 75.102.21.121 (AS36352), which is in the US and hosted by HostForWeb.com. www2.safetosecurity.rr.nu resolves to IP 67.208.74.71 (AS33597), which is in the US and hosted by InfoRelayOnlineSystems.
The dropped malware attempts to connect to: 65.98.83.115 (AS25653), which is in the US.
See http://jjghui.com/urchin.js mass infection ongoing
