McAfee TrustedSource
Create Account | Login  | What is TrustedSource?
 
Home  Threats and Trends  McAfee Research Blog
TrustedSource™ Query
Enter IP address, domain name or URL to check reputation/traffic patterns:
Search
 


Latest Malware Threats
 RSS Feed
Exploit.MS04-033.Excel.A2009-06-30
Worm.Agent.W.452009-05-06
Worm.Autorun.cbm.42009-03-08
Trojan.Dldr.Agent.bfbm2009-03-05
Exploit.PDF.33552009-02-28
Worm.Sohanad.BM2009-02-13
View Malware Library
 

McAfee Research Blog

When your web site is attacked by the Hijacking Blog

April 24th, 2008

Today’s malware threats are nastier and stealthier than ever before. In this blog entry we dissect a very common but yet unknown threat, which infected and compromised many web servers world-wide. The hacked web sites display different content, depending on whether you access them directly or access them through a search engine query via Google, Live.com or Yahoo to name just a few.

Above screenshot is an example of a compromised web site accessed directly by typing the domain into the browser’s URL field or clicking one of your bookmarks. It looks legit and no strange behaviour can be observed - so nothing wrong with it, right? But the same web site will look completely different when a vistor comes from Google&Co. In this case you will get a black web site, which looks like a Blogger.com site.

When you take a closer look at the source code of the web site itself to find the culprit of this different behaviour, you maybe stumble upon the Cascading Style Sheet which is infected by some suspicious looking JavaScript code as shown in the next screenshot. After decompilation of the obfuscated code, you can see references to files named ‘check.js’ and ‘dummy.htm’ on the same server.

The ‘magic’ lies burried within the file ‘check.js’. Carefully hidden after many padding newlines just right in the middle of the file, there is some more script code which checks the document’s referrer property. If the referring page matches one of the known search engines the browser is redirected to the “Hijacking Blog” page referenced in the ‘dummy.htm’ file.

Interestingly the search engines’ query - the terms a users tries to find - are passed along the request and so the blog page shows them with this decorating text: “Particulary I like the first site but other sites are informative as well, so if you have interest in <search terms> you should check all those links. I hope you’ll like them“. So a user will just take the advice and goes with one of these links.

At the moment these links seem to be just affiliation spam and don’t point to a malicious web site but it seems disturbing that the C&C server from where the actual links are fetched from is located in China.

Web masters should take any user inquiry, telling that his web site is hijacked by some search engines queries, very serious. A good advice is to check the CSS file for any modification and the presence of any suspicious script code. Also check for the presence of files called “dummy.htm”, “check.js”, “blog.htm” and “/ex3/t.htm” in some random directory. Further reports indicate that sometimes also the server’s “.htaccess” is infected with some Apache RewriteEngine code, again padded by many newlines. This rewriting rule just forwards any user comming from a known search engine directly to the “Hijacking Blog” page.

As a small side note, there seems to be some fix hash sum like strings showing up on thousands of web sites when searching these through Google indicating that this is a bigger threat. And last but not least it’s good to know that SecureWeb Anti-Malware users are protected from the hijacks, since these infected web sites are blocked as ‘Trojan.Redirector.E’.


Author: Anti-Malware Team

Back to McAfee Research Blog overview

McAfee Homepage | Contact | Privacy Policy

Copyright © 2007-2009 McAfee, Inc. All Rights Reserved.

ANY INFORMATION PROVIDED BY MCAFEE ON THIS BLOG ARE OFFERED "AS IS" WITH NO EXPRESS OR IMPLIED WARRANTIES, CLAIMS, PROMISES OR GUARANTEES ABOUT THE ACCURACY, COMPLETENESS, OR ADEQUACY OF THE INFORMATION CONTAINED IN OR LINKED TO AND NO RIGHTS ARE CONFERRED. BY USING THIS BLOG, YOU ASSUME ALL RISK FOR YOUR USE. IN NO EVENT WILL MCAFEE BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, INCIDENTAL, EXEMPLARY, OR OTHER DAMAGES WHETHER OR NOT MCAFEE HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE. MCAFEE HAS NO OBLIGATION TO POST BLOG SUBMISSIONS OR RESPONSES.