The malicious JavaScript code is injected at the bottom of the main page as can been seen in the attached screenshot:
The malicious JavaScript is heavily obfuscated to evade detection. A decoded version of the JavaScript contains code that looks legitimate at first glance. A malicious iframe is then inserted in the middle of this decoded content. Here is the screenshot:
Unfortunately, for this blog we were unable to retrieve any malicious contents because the iframed site simply redirects to Google. This may be due to the fact that the attackers have crafted the page to only deliver the payload if certain conditions have been met (i.e. correct user agent, particular geography, etc.), however, despite various approaches, we were unable to retrieve malicious content from the page. Here is the packet capture of the redirect:
The website sets a cookie and redirects to Google. This cookie may be used by the attacker to track previous victims in order to ensure that the payload is only delivered one time. This is another common technique to keep the attack under the radar. This site was registered on 30th March 2011 in Ukraine. Here is the whois lookup,
A Google for the query “WorldFest Houston 2011” returns this infected site as the first search result, as shown below:
Attackers often try to target popular events and the WorldFest is a valuable target with the event beginning on April 8th. This site will surely get plenty of traffic given that this is a popular film festival. We have informed the webmaster of the infection and will continue to monitor the site.
Happy Film Festival!
Umesh
