DO NOT RUN IN ANY PRODUCTION OR NON-LAB ENVIRONMENT UNDER ANY CIRCUMSTANCES
------------------------------------------------------------------------
Sent by: Mike Fara (mjfara@gmail.com), Nextwork Media
Sent by: Joseph Stackhouse (junkmauler@gmail.com), ChaCha.com
------------------------------------------------------------------------
PRIORITY: URGENT EMERGENCY
SUMMARY
------------------------------------------------------------------------
Severity: We have detected over 25,000 hits to our websites, as well as at least one with over 2,000,000 pages of content, exploited from a malicious website called "www.priceforinsurance.com". This website contains encrypted JavaScript injection code. We believe that this is "in the wild" and "undetected" by all anti-virus and anti-malware software. This appears to be cross-platform and is being launched from multiple attack sites, although the JS itself is hosted on a distribution server called www.googlefreehosting.com. The attack cannot be blocked by mod_rewrite and has no known remedy.
------------------------------------------------------------------------
Previously Unknown Cross-platform Vulnerability Uses Adobe Flash and JavaScript
------------------------------------------------------------------------
The end-user or perpetrator visits the attack site, which meta-refreshes them to the TARGET site, and also loads the JavaScript. This obfuscated JavaScript “mr9js.js” then executes 4_.swf, another encrypted file with BASE64 encoding, apparently accessible once the mr9js.js is loaded by the browser.
------------------------------------------------------------------------
What this does
------------------------------------------------------------------------
It appears this ******, upon decoding it, is malicious in nature. It prevents mod_rewrite from blocking the redirection to the target site. It appears that the 4_.swf file is being used for data collection, potentially for click fraud, privacy violation, and it does appear to confirm its own installation. We believe that the initial mr9js.js file is a platform to launch 4_.swf. We do not know the extent to which these files have an effect on the target site or the end-user who executes them without their knowledge. The ****** is clearly designed to hide itself, prevent it from being blocked by the targeted website, and continue to launch arbitrary code which may be used for unauthorized tracking, click and/or link fraud, and a number of other operations. We are uncertain as to the extent and functionality of the ****** after it is launched. This must be diagnosed by an anti-virus and anti-malware security laboratory.
------------------------------------------------------------------------
Contents
------------------------------------------------------------------------
We have decrypted the files and placed them in a compressed archive for your review. We have also retained the encrypted files.
index.html – this is only downloadable via a utility like curl from the attacking site due the meta-redirection taking place.
mr9js.js – distributes the 4_.swf file and may also function as a control mechanism for its behavior
4_.swf – the encrypted Adobe Flash Player binary that executes the arbitrary and malicious code
mr9js.js-decrypt.txt – decrypted version of the spyware(?) JS before meta refresh to the target server.
4_.swf-decrypt.txt – this is the decrypted version of the Adobe Flash Player binary
------------------------------------------------------------------------
Live Example in the Wild Right Now
------------------------------------------------------------------------
The distribution point for the mr9js.js ****** seems universal. It is http://www.googlefreehosting.com/mr9js.js?s=0&i=1
The attack site is:
http://www.priceforinsurance.com
The targeted (victim) site is:
http://windowsforum.com
Other previously victimized sites:
http://windows7forums.com
http://www.macrumors.com (see: http://forums.macrumors.com/showthread.php?t=1565555)
This distribution site is not a Google owned property. The owner of the distribution site and the attack sites appear to be the same. We do not believe this attack is limited to forums. A quick search for the mr9js.js file shows it has propagated on blogs and other hosted content. The primary use for this cross-platform attack is not entirely known, so a risk assessment is not possible without professional analysis.
priceforinsurance.com domain name record
Registrant:
Keva Reed
4738 Juniper Drive
Saginaw, AL 48607 US
+1.9899281913
fenzu.333@gmail.com
Administrative:
Keva Reed
4738 Juniper Drive
Saginaw, AL 48607 US
+1.9899281913
fenzu.333@gmail.com
Technical:
Keva Reed
4738 Juniper Drive
Saginaw, AL 48607 US
+1.9899281913
fenzu.333@gmail.com
Nameserver:
LOLA.NS.CLOUDFLARE.COM
NORM.NS.CLOUDFLARE.COM
Updated-Date:
Mar 31, 2013 06:00:39 PM
Created-Date:
Mar 15, 2013 05:32:13 PM
Registration-Expiration-Date:
Mar 15, 2014 05:32:13 PM
Domain:
priceforinsurance.com
Server:
SJL0VWLG01
Status:
registrar-lock
The same contact is on file for the distribution domain, as well as other domains that appear on Google search to have hosted the JavaScript.
We do not own priceforinsurance.com or have any affiliation with this malicious cross-platform attack.
We have filed a phishing complaint with Google, as well as a DMCA (Digital Millenium Copyright Act) notice.
We have now filed a complaint with CloudFlare. - 9:17 PM US ET 2013-08-07
We notified serverclub.com, webhost for priceforinsurance.com - 10:58 PM 2013-08-07
We have now notified ESET - 11:11 PM US ET 2013-08-07
We cannot rule out an injection attack.
We are unable to limit to forum software such as vBulletin or XenForo, as it appears to have been on blogs.
Because we confirm it is cross-platform using Java, we would consider this to be of very high severity.
We cannot confirm the exact goal of the ******, what its limitations are, or what it is doing completely.
A ****** this complex, which prevents mod_rewrite, must be used for some tracking purpose that is not known to the independent site that is being targeted. It appears part of the ****** function may be to nullify the browser HTTP REFERER.
Please send return e-mails to mjfara@gmail.com. I am the owner of WindowsForum.com, and my website is a victim of this malicious ******.
We urge you to examine these files, both in action, and included in this zip file.
HERE IS THE CODE BEING USED. COMPARE USING CURL from www.priceforinsurance.com (DO NOT VISIT THIS SITE ON A LIVE/PRODUCTION MACHINE)
mr9js.zip
--
EOF
