securitybananas.com

Last weekend a couple of friends asked me to look ater their websites; they got complaints from users when visiting their websites their antivirus software start alerting. So starting up my malware research machine I used Mcafee File-insight to go over the website. My avir (NOD32) went crazy and alerts popped-up.
It looked like if all index.html and index.php files were infected.

When analyzing these pages I discovered at the bottom of the source code obfuscated script code.

Putting this code up to Virustotal, I got following response:

S/TrojanDownloader.Agent.NRO trojan – NOD32
Trojan-Downloader.JS.Pegel.c – Kaspersky
MD5 : f6040c041562a481ea0b4d6a79d0ca49

After cleaning the index.* files I did a last check and downloaded the folder of the website to check if I forgot to check some files; My avir again full alerts, now all *.js files were infected.

Ok, analyzing time, what is this trojan doing:
It is injecting hidden I-frames with all kind of URL’s referring to different sites.

example:
hxxp://chip-de.ggpht.com.deezer-com.viewhomesale .ru:8080/google.com/google.com/timeanddate.com/avg.com/zshare.net/
hxxp://wowhead-com.gougou.com.redtube-com.viewhomesale .ru:8080/58.com/58.com/google.com/rediff.com/uol.com.br/
hxxp://it168-com.sky.com.xe-com.viewhomesale .ru:8080/google.com/google.com/pagesjaunes.fr/sify.com/nate.com/
hxxp://seznam-cz.king.com.boston-com.viewhomesale .ru:8080/linkedin.com/linkedin.com

UPDATE: thx Herzel for pointing me to your blog: here are some screenshots of the code analysis:
Blog

Earlier variations of this malware were already detected, but this variant is using code obfuscating and is using two ways to spread:

- inserting script code into the bottom of index.html and index.php files
- attaching/inserting to *.js files

Word has been spread that the Gumblar team is responsible for this virus

Affected websites should:

* Delete or restore from backup infected files.
* Patch all software on the box.
* Change all password especially FTP ones
* Review logs