Thursday, September 02, 2010

Code Injection Masquerades as Google Analytics

A new mass injection tries pass the rogue code added to compromised websites as the Google Analytics script. The attack is actually part of a malicious campaign to distribute a new piece of scareware that has a very low detection rate.

The compromises are likely the result of SQL injection vulnerabilities in mostly ASP and ASP.NET websites. Successful exploitations leads to a rogue <script> tag being injected right after the </title> element in the HTML output.

The src of the this tag loads a script called urchin.js from a domain with the name This is clearly meant to hide the infection and pass the code as being part of Google Analytics, with which the urchin.js name is normally associated. The domain name is also indicative of this.

Searching for the rogue script tag on Google reveals some 154,000 hits. Although these results include multiple infected pages under the same domain, it's pretty safe to assume that tens of thousands of websites have already been affected by this new attack.

The rogue script performs a check to see if the visitor has already been targeted and if they weren't, proceeds to bombard them with bogus security alerts, which claim their system is infected with fictitious malware. This scareware campaign pushes a fake antivirus program called System Security AntiVirus.

This sort of applications try to scare users into buying a license for a fake an useless product in order to clean their system of infections that didn't exist in the first place. This is a very profitable criminal model that has been for years now. Unfortunately victims of such scams, will not only depart with a considerable sum of money, but will also compromise their credit card details.

The scareware file distributed in this case has a very low detection rate based on signatures alone. Only 4 of the 42 antivirus engines on VirusTotal currently identify it as malicious.

No comments:

Visitor Count : Free Hit Counter