Compromised Japanese Sites Lead to Malware

When it comes to cybercriminal targets, it truly is a popularity contest. Multiple sites were found compromised, including those popular with Japanese users. There were 40 compromised domains identified using feedback provided by Trend Micro Deep Discovery; since yesterday almost 60,000 hits have been recorded on these sites.

One of the compromised sites contains an obfuscated JavaScript (detected as JS_BLACOLE.SMTT) designed to load a hidden iframe that loads behind the user’s browser.


Figure 1. Encrypted JavaScript inserted onto compromised site


Figure 2. Decrypted JavaScript that could lead users to malicious sites

Figure 1 shows the obfuscated JavaScript, or JS_BLACOLE.SMTT, that’s on the compromised site. Figure 2 shows the decrypted JavaScript, which leads users to more malicious sites.

The hidden iframe loads a .PHP file (detected as JS_BLACOLE.MT) that checks which software are installed in the user’s computer. After checking, it then loads the appropriate exploits. These lead to the download of malicious PDF files, which exploit an old vulnerability (CVE-2010-0188) in Adobe Reader and Acrobat. Other software applications targeted for exploits include Java and Flash. This behavior indicates that the attacker used the Blackhole Exploit Kit in these attacks.

Users should remember that cybercriminals are catching up with the digital landscape. They will take advantage of any online activity—no matter how mundane—to gain more victims. They are also not selective; one of  the (compromised) sites caters to both students and businesses.

End users should ensure that their installed software is patched, as this can prevent attacks that use old exploits – like this one – from succeeding. Site owners should exercise similar precautions with their installed server software – particularly content management systems – and ensure that their own passwords are sufficiently random and difficult to guess by attackers. Inputs should be sanitized as well, to prevent SQL injection attacks.

Trend Micro provides protection by blocking related malicious sites and detecting the malware.

With additional inputs from Threat Researcher Rhena Inocencio and Threats Analyst Yoshikawa Takashi.

We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

Compromised Japanese Sites Lead to Malware

Read more: Compromised Japanese Sites Lead to Malware

Story added 5. June 2013, content source with full text you can find at link above.