Sophisticated injection abuses the Twitter trend service

About three years ago code injection was very simple, where most of them were just an iFrame tag. Hackers then started to insert a piece of script code to obfuscate the malicious code, yet the goal still remains the same – to insert an iFrame tag or script tag to redirect vistors to another site. Recently, the Websense ThreatSeeker® Network has detected a mass injection campaign that has infected more than 10,000 Web sites.

What is surprising is the size of injected code; it’s very big – over 6,000 kbs. Surely such a large injection code can contain a lot of malicious content.  The attacker used 5 layers of obfuscated methods to conceal the final redirect code. The redirect target is determined based on Twitter trend services (abused Twitter trend service is not new. We have posted about this in the past). The redirect target is  different every day, and even different at day and at night!

Above is a part of the injection code, which is usually placed at the end of a normal page. With our Javascirpt de-obfuscated tool, we were redirected to the page below. 

The redirect code will query Twitter trend services and gets the trend data within 2 or 3 days. Using popular words at 7:00 or 18:00 in the trend data as a key, and after some complicated mathematical computation, a final redirect URL is generated and then inserted in the iFrame tag.

The code will compute 2 redirect URLs everyday, according to the time you visited the infected website. One URL is for the time between 05:00 - 16:00; the other URL is for the remaining time.  Here are the redirect URLs used in July

20110701-------------http://dbcuqdpdfds.com/index.php?tp=001e4bb7b4d7333d
20110701-------------http://xderummxfds.com/index.php?tp=001e4bb7b4d7333d
20110702-------------http://gbcpgjkgfds.com/index.php?tp=001e4bb7b4d7333d
20110702-------------http://wiadwlxwfds.com/index.php?tp=001e4bb7b4d7333d
20110703-------------http://gabeevygfds.com/index.php?tp=001e4bb7b4d7333d
20110703-------------http://sabiofesfds.com/index.php?tp=001e4bb7b4d7333d
20110704-------------http://aghpgwkafds.com/index.php?tp=001e4bb7b4d7333d
20110704-------------http://efgeenyefds.com/index.php?tp=001e4bb7b4d7333d
20110705-------------http://niadwixnfds.com/index.php?tp=001e4bb7b4d7333d
20110705-------------http://rdehaccrfds.com/index.php?tp=001e4bb7b4d7333d
20110706-------------http://mefjhddmfds.com/index.php?tp=001e4bb7b4d7333d
20110706-------------http://ghjvxdqgfds.com/index.php?tp=001e4bb7b4d7333d
20110707-------------http://wghabguwfds.com/index.php?tp=001e4bb7b4d7333d
20110707-------------http://viascznvfds.com/index.php?tp=001e4bb7b4d7333d
20110708-------------http://aianrgjafds.com/index.php?tp=001e4bb7b4d7333d
20110708-------------http://ajiwferafds.com/index.php?tp=001e4bb7b4d7333d
20110709-------------http://aghflzaafds.com/index.php?tp=001e4bb7b4d7333d
20110709-------------http://ahjvxqqafds.com/index.php?tp=001e4bb7b4d7333d
20110710-------------http://qcdbjuvqfds.com/index.php?tp=001e4bb7b4d7333d
20110710-------------http://kiascenkfds.com/index.php?tp=001e4bb7b4d7333d
20110711-------------http://tbcfleatfds.com/index.php?tp=001e4bb7b4d7333d
20110711-------------http://mcdqnmlmfds.com/index.php?tp=001e4bb7b4d7333d
20110712-------------http://miasclnmfds.com/index.php?tp=001e4bb7b4d7333d
20110712-------------http://mhjldbgmfds.com/index.php?tp=001e4bb7b4d7333d
20110713-------------http://tfgeexytfds.com/index.php?tp=001e4bb7b4d7333d
20110713-------------http://cjirubmcfds.com/index.php?tp=001e4bb7b4d7333d
20110714-------------http://wfgytetwfds.com/index.php?tp=001e4bb7b4d7333d
20110714-------------http://uefjhrdufds.com/index.php?tp=001e4bb7b4d7333d
20110715-------------http://gjiruxmgfds.com/index.php?tp=001e4bb7b4d7333d
20110715-------------http://scdqnklsfds.com/index.php?tp=001e4bb7b4d7333d
20110716-------------http://aaboywiafds.com/index.php?tp=001e4bb7b4d7333d
20110716-------------http://ajicpzwafds.com/index.php?tp=001e4bb7b4d7333d
20110717-------------http://uefxmgsufds.com/index.php?tp=001e4bb7b4d7333d
20110717-------------http://oefjhudofds.com/index.php?tp=001e4bb7b4d7333d
20110718-------------http://aefxmusafds.com/index.php?tp=001e4bb7b4d7333d
20110718-------------http://aghabguafds.com/index.php?tp=001e4bb7b4d7333d
20110719-------------http://pianrejpfds.com/index.php?tp=001e4bb7b4d7333d
20110719-------------http://aabioqeafds.com/index.php?tp=001e4bb7b4d7333d
20110720-------------http://uhjgswbufds.com/index.php?tp=001e4bb7b4d7333d
20110720-------------http://jcdgsdbjfds.com/index.php?tp=001e4bb7b4d7333d
20110721-------------http://scdldsgsfds.com/index.php?tp=001e4bb7b4d7333d
20110721-------------http://gefscrngfds.com/index.php?tp=001e4bb7b4d7333d
20110722-------------http://mghuqcpmfds.com/index.php?tp=001e4bb7b4d7333d
20110722-------------http://ghjqndlgfds.com/index.php?tp=001e4bb7b4d7333d
20110723-------------http://fbcabkuffds.com/index.php?tp=001e4bb7b4d7333d
20110723-------------http://lfgythtlfds.com/index.php?tp=001e4bb7b4d7333d
20110724-------------http://ajicpfwafds.com/index.php?tp=001e4bb7b4d7333d
20110724-------------http://ajicpcwafds.com/index.php?tp=001e4bb7b4d7333d
20110725-------------http://vianrhjvfds.com/index.php?tp=001e4bb7b4d7333d
20110725-------------http://kefnrkjkfds.com/index.php?tp=001e4bb7b4d7333d

The URL redirects customers to the Blackhole Exploit Kit where a rogue AV application will be installed. Below are IP addresses that host the Blackhole Exploit Kit.

46.165.192.232
46.20.119.80
66.135.59.143
216.155.147.12
64.150.187.129
200.35.147.150
108.59.2.202

The good news is that Websense Security Labs continue to track different types of exploit kits (including Blackhole), and customers are protected against these kind of campaigns.