It has been a month since Sophos added detection for Troj/JSRedir-AK and figures generated today show that over 40% of all web-based detections have been from this malicious code.
[Graph shows Malware hosted on websites from 2009-12-22 11:00:00 to 2010-01-21 11:00:00 (GMT-8)]
Translating the numbers into a more human comprehensible form: 1 site every 15 secs was being detected as Troj/JSRedir-AK.
The affected sites include well-known names, including:
- Energy Companies
- Retail Companies
- Automobile Club
- Hotels
Using the JavaScript .replace the malware deobfuscates itself and dynamically writes an iframe point to a Russian website on port 8080 which serves up scripts detected as Troj/Iframe-DL.
This new script will write an iframe that will attempt to load a PDF (detected as Troj/PDFJs-FY) and a file claiming to be a JPG (detected as Exp/VidCtl-A). These then will install various other malware.
Troj/JSRedir-AK is a continuation of the Gumblar gang’s exploits using Russian domains instead of Chinese ones. In fact, the graph above is very similar to the one we saw for Troj/JSRedir-R and the infection mechanisms seem to be the same (i.e. FTP credentials).