September 16, 2010

Singing a malicious song


Every now and then we look for song lyrics on the Internet. Using the newest Google Instant technology we immediately find what we need. At least, we think so.


Websense Security Labs™ ThreatSeeker™ Network has detected that the popular site Songlyrics.com (with approximately 200,000 daily page views and 2,000,000 unique visitors) is compromised and injected with obfuscated malicious code. 
Websense customers are proactively protected against the malicious code by our  Advanced Classification Engine - ACE 


Once a user accesses the main page of the song lyrics site, injected code redirects to an exploit site loaded with the Crimepack exploit kit.
Attempted exploits result in a malicious binary (VT 39.5%) file that's run on the victim's computer. Once infected, the machine becomes another zombie-bot in the wild. 


Deobfuscating this code reveals a redirection to the malicious payload site: 


It is interesting to note that the malicious code injected on Songlyrics.com uses a similar obfuscation algorithm as Crimepack - a prepackaged commercial software used by attackers to deliver malicious Web-based code.

It appears that the majority of pages served by Songlyrics.com are compromised.

Crimepack has become one of the best selling exploit packs on the market due to its huge number of pre-compiled exploits offering a great base for the "drive-by-download & execute" business implication. 



Forcepoint-authored blog posts are based on discussions with customers and additional research by our content teams.

Read more articles by Forcepoint

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.