Troj/JSRedir-AU: Troj/JSRedir-AK redux?

Late last year I blogged about ~40% of web-based malware. Earlier this year I mentioned it had changed and late last month I saw that it had changed again into Troj/JSRedir-AU.

The infection numbers of Troj/JSRedir-AR and Troj/JSRedir-AU haven’t been quite as impressive as those of Troj/JSRedir-AK, but the sites compromised have included several high profile victims. For instance this morning I was alerted to an infection on a major European newspaper by one of our Sophos web security appliances and earlier in the week Sophos notified a Dutch menswear outfitter of an infection on one of their sites.

The outfitter after being notified did not want ‘our help’ and three days latter hasn’t cleaned up their website.

As you can see this is another case of an old website with a redirect to the new site with extra malware on the side.

The malicious code like previous examples, Troj/JSRedir-AK and Troj/JSRedir-AR, has two distinct forms:

  • injected into HTML files as a malicious <SCRIPT> tag
  • the other appended to JavaScript files

You can see in the above code snippet:

var Y=F(‘89910918991021’,”129″)

The code has a function F which uses the second string to perform a substitution on the first string. In Perl code:

        while (<>){
	        if (/F\('([a-zA-Z0-9]+)'\s*,\s*"([a-zA-Z0-9]+)"/) {
		        my $one = $1;
		        my $two = $2;
		        $one =~ s/[$two]//g;
		        print $one . "\n";

The other variable w in the image is that of the malicious site the code redirects to.

When infected website owners have talked to us we have been able to diagnose the infection source via compromised FTP credentials.