Search Blog for

Dissecting The Urchin Script Injection Attack

Dissecting The Urchin Script Injection Attack

Imperva’s Tomer Biton examines a new mass script injection attack targets ASP ASP.NET websites.  As usual, this is a major technical dissection.
First, by searching the javascripts payload names in Google we can see the mass of the infected pages (click image to BIGGIFY):
The injection includes iframes to one of the following javascripts payloads to two sites (URLs not listed).
The Injected Script (click image to BIGGIFY):
Now, let’s deobfuscate the script:
The script targets visitors of 6 particular languages:

  • en = English,
  • de = German (Standard).
  • Fr = French
  • It = Italian
  • Pl = Polish
  • Br = Breton (yes, for real).

The redirector:
We can see the ‘go_to’ statement that redirects the visitor’s browsers to domain:
By returns 302 redirection response with one of the following domains:

  • hXXp://
  • hXXp://

How do you like your malware?
We were able to identify 3 different scripts from above domains. The scripts are downloaded as a gzip encoded.  However, with the Malzilla tool we can see get them in a better view (click image to BIGGIFY):
Once the scripts get executed in the visitor’s browser one of the following pages loads (click images to BIGGIFY):
Script # 1: Top 10 Famous Celebrity Sex Scandals
Script #2: Emma Watson never seen before home video
Script #3: Scarware/Fake Anti-Virus
What About The Malware?
The malware’s main characteristics include:

  • FileSize: 292.00 KB (299013 bytes)
  • MD5: 8DACD674BF9F7A08BFF667721E53B106
  • SHA1: 38954871CE0D2249BCFA500F24A00A5FAF93BFA0

The binary presents a layer of UPX compression.  The Section Header is composed as usual by the following sections:

  •  .UPX0
  • .UPX1
  • .rsrc.

This sample designed to redirect web search results of and  It uses rootkit techniques to hide its presence from the victim and security products. This is not the first time we see this kind of behavior, malware from the TDSS (TDL3 and TDL4) and ZeroAccess/Serifef families were involved in nearly all cases of those annoying redirects.
I’m guessing, the sample is routing the traffic eventually to Google after monitoring it or logging it for whatever reason.
Once executed the sample creates a service by loading a kernel mode driver – 5640.sys:
SYSTEM process (PID 4) gets infected by a malicious thread injection (click to BIGGIFY):
The local pharming technique?  The sample modifies locks and set as hidden the system file /etc/hosts (click to BIGGIFY):

After entering ~ 60 CRLF lines also adds the following entries (must pageDn in order to see the entries):
The sample also copies itself to a tmp folder with a .tmp extension:
As described above, the sample is designed to redirect user searches from ‘Google’ and ‘Bing’.  After infection pinging and returned the same IP (click to BIGGIFY):
Before Infection                 After Infection

Whereas is not a target:
Be safe.