Article Alley compromised
05 Jul 2010 12:44 AM
Websense Security Labs™ ThreatSeeker™ Network has detected that Articlealley.com has been compromised and injected with obfuscated code.
Article Alley is a free article directory that aims to help authors promote and syndicate their content. It allows authors and promoters to get their articles out on the Web with the potential of being read by millions of readers. This site was compromised from the root domain, and as a result all subsequent sub-pages were infected by the attack.
Screenshot of the infected site:
Screenshot of injected code:
After de-obfuscation, the redirection chain shown below verifies that this reached the final page but was still highly encrypted.
On first glance, the malicious code is fairly extensive and complex, but the decryption method used is quite simple. First we use '%' to replace all instances of 'SS KWKW o' in the two long variables. The next step is to use the Unescape() function to decode the two variables by running it twice.
Snapshot of the decrypted code:
The attack is targeting the Microsoft Help and Support Center 0-day vulnerability CVE-2010-1885, which you can get more details of here.
At the time of publishing this blog, the site has been cleaned and the malicious code removed.
Websense Messaging and Websense Web Security customers are protected against this attack.