Another Mass Iframe Injection Attack detected by armorize.com Researchers. On july, They detected the Mass Iframe injection that infected the 90000 websites. Looks like this time the number of sites is increased. 350,000 websites infected by Malware. Also they targeted the website that are developed using ASP.net.
As per the Google result, there is 180,000 websites infected by this Iframe injection attack. They targeted victims who use 6 particular language:English, German, French, Italian, Polish, and Breton in their websites.
If you want to check the list of Infected sites, then do google search as "http://jjghui.com/urchin.js". Never click the website that return by google after this search. It will launch the malware attack.
Multiple browser-based drive-by download exploits are served depending on the visiting browser.
When the user is redirected to the malware server, it will server to the visitors. The malware will be automatically installed without your knowledge. This is if they have outdated browsing platforms (browser or Adobe PDF or Adobe Flash or Java etc).
Currently, the 6 out of 43 antivirus vendors on VirusTotal can detect the dropped malware.
jjghui.com resolves to IP 146.185.248.3 (AS3999), which is in Russia. www3.strongdefenseiz.in resolves to 75.102.21.121 (AS36352), which is in the US and hosted by HostForWeb.com. www2.safetosecurity.rr.nu resolves to IP 67.208.74.71 (AS33597), which is in the US and hosted by InfoRelayOnlineSystems.
The dropped malware attempts to connect to: 65.98.83.115 (AS25653), which is in the US.
<script src="Link_to_malicious_script"></script>
This inserts the malicious javascript inside website. This malicious script generates an iframe to www3.strongdefenseiz.in, which gives an HTTP 302 redirect to the exploit server at www2.safetosecurity.rr.
As per the Google result, there is 180,000 websites infected by this Iframe injection attack. They targeted victims who use 6 particular language:English, German, French, Italian, Polish, and Breton in their websites.
If you want to check the list of Infected sites, then do google search as "http://jjghui.com/urchin.js". Never click the website that return by google after this search. It will launch the malware attack.
Malware Infection:
The Malicious scripts inserted inside the victims website causes the visiting browser to load an iframe first from www3.strongdefenseiz.in and then from www2.safetosecurity.rr.nu. Multiple browser-based drive-by download exploits are served depending on the visiting browser.
When the user is redirected to the malware server, it will server to the visitors. The malware will be automatically installed without your knowledge. This is if they have outdated browsing platforms (browser or Adobe PDF or Adobe Flash or Java etc).
Currently, the 6 out of 43 antivirus vendors on VirusTotal can detect the dropped malware.
jjghui.com resolves to IP 146.185.248.3 (AS3999), which is in Russia. www3.strongdefenseiz.in resolves to 75.102.21.121 (AS36352), which is in the US and hosted by HostForWeb.com. www2.safetosecurity.rr.nu resolves to IP 67.208.74.71 (AS33597), which is in the US and hosted by InfoRelayOnlineSystems.
The dropped malware attempts to connect to: 65.98.83.115 (AS25653), which is in the US.
IFrame Injection:
They inserted the Iframe inside the webpage using the web application vulnerability. like this:<script src="Link_to_malicious_script"></script>
This inserts the malicious javascript inside website. This malicious script generates an iframe to www3.strongdefenseiz.in, which gives an HTTP 302 redirect to the exploit server at www2.safetosecurity.rr.
Security Tips from BreakTheSecurity.com to Web Masters:
If your site also infected, then delete all files from your server. I hope you have backup of your website contents. Install the Latest Antivirus in your system. Verify your code before uploading.