Cat ‘n Mouse with spammed HTML redirects

The attackers behind the spammed HTML redirects I blogged about last week have been busy over the last few days. In an ongoing attempt to evade detection they have continually tweaked and changed the manner in which the redirect is being hidden. In this post I will take a quick look at the evolution of these scripts that we are blocking as JS/WndRed-B.

They started out by using a commercial tool known as HTML Protector to hide their payload.

As explained previously, this script simply redirects to some remote site via a META refresh.

In many cases, the target of the redirection was not a spammy or malicious site, but a page uploaded within a legitimate site, normally with the filename x.html. (In my previous blog I detailed the further redirections that happen from here.)

Soon afterwards we saw a shift to another obfuscation method. The scripts were now completely different, but still delivering the same META redirect payload. Additionally, some of the scripts changed the delay of the redirect from 0 to a few seconds.

It didn’t take too long for another change, to a completely different script (and yes, you guessed it, the payload remains the same).

With the game of cat ‘n mouse clearly hotting up, the attackers then threw another spanner into the works, indicating something of a sense of humour in their efforts to break detection. We started seeing scripts using the same obfuscation method, but with garbage at the start and end of the string.

The deobfuscated output for these scripts still contained the META redirect payload, but with additional rubbish present!

Today has seen a different tactic. The attackers are now spamming HTML pages ripped from legitimate content such as eBay confirmation emails, Flixster postings or Paypal notifications.

However, these pages contain a hidden surprise. Some (blocked as Troj/JSRedir-CO) contain a single malicious script element, that loads another script from a remote site.

Others use an obfuscated script to either write the iframe or to deliver our favourite META redirect (blocked as Troj/JSRedir-CO and JS/WndRed-B respectively).

The script these load then proceeds to write an iframe to the page (blocked as Mal/Iframe-F), which loads the malicious code that delivers the payload. The payloads encountered thus far include Troj/Dloadr-DDF, Mal/FakeAV-EI and Troj/VBInjec-AS. Phew!

As I noted before, these attacks clearly indicate the benefits of layered protection, where anti-spam, URL filtering and effective generic detections for all of the components involved provide the best protection for users.