Recent metrics from Symantec are showing that religious sites are more often compromised or serving malicious content than adult content sites. In a recent analysis, I have encountered this myself and I will delve briefly into how the malicious event occurred.
User searches in Google for religious content
User clicks on the link, in this case, fassatiny.com, a youth religious website.
Unbeknownst to the user or, likely, fassatiny.com, the website has been injected with obfuscated javascript code.
- The result of this code is a get request for: khigaijc.ddns.ms/stds/go.php?sid=1
- http://jsunpack.jeek.org/?report=d55b34d070095158ed87123ef1d828c4c16f5139
- khigaijc.ddns.ms/stds/go.php?sid=1 redirects you to:
- hxxp://lnuzdqhs.ddns.mobi/main.php?page=bd9afdd8df7aa34c
An you have yourself a new experience. Malware via blackhole and insecure religious websites. I, in no way wish to pick on religious websites. They are far from the only insecure websites on the internet.
Anyone can fall a victim to this type of injection, and anyone can fall victim to exploits akin to this.
Now, lets take this one step further:
Lotta trouble out there.
Now, let's detect. How about snort?
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Exploit: Malicious Obfuscated Javascript Redirect"; flow:from_server,established; content:"<script>i=0;try{prototype;}catch"; content:"</script>"; reference:url,http://jsunpack.jeek.org/?report=d55b34d070095158ed87123ef1d828c4c16f5139, reference:fortknoxnetworks.blogspot.com/2012/05/anatomy-of-compromised-religious-site.html; sid:98100014; rev:1;)
Other tools:
Obfuscated javascript
Nginx server
URL strings consistent with Blackhole
I put the trailing <script> into this rule in the desire to capture the entire script. You may have a better suggestion for the rule and I welcome it.
As always, I welcome your comments, thoughts and suggestions. Follow me @fknsec.
