Sophos Cloud Optix
It has been a month since we added detection for Troj/JSRedir-AK and figures generated today show that over 40% of all web-based detections have been from this malicious code.
[Graph shows malware hosted on websites from 2009-12-22 11:00:00 to 2010-01-21 11:00:00 (GMT-8)]
We saw 180,000 webpages that were infected with Troj/JSRedir-AK in the last 31 days. Translating that number into a more human comprehensible form means that we are seeing one new webpage infected with this malware every 15 seconds.
The affected sites include a host of well-known names, including ones from the following industry sectors:
- Energy Companies
- Retail Companies
- Automobile Club
- Hotels
In earlier posts (2) I talked a little about what Troj/JSRedir-AK does, and I will expand on that a little below.
Using the JavaScript .replace the malware deobfuscates itself and dynamically writes an iFrame in order to point to a Russian website on port 8080 which serves up scripts detected by Sophos as Troj/Iframe-DL.
This new script will write an iFrame that will attempt to load a malicious PDF (detected as Troj/PDFJs-FY) and a file claiming to be a JPG image (detected as Exp/VidCtl-A). These then will install various other malware onto your computer.
Troj/JSRedir-AK is a continuation of the Gumblar gang’s exploits using Russian domains instead of Chinese ones.
In fact, the graph above is very similar to the one we saw for Troj/JSRedir-R and the infection mechanisms seem to be the same (i.e. FTP credentials).