Singing a malicious song
16 Sep 2010 04:23 PM
Every now and then we look for song lyrics on the Internet. Using the newest Google Instant technology we immediately find what we need. At least, we think so.
Websense Security Labs™ ThreatSeeker™ Network has detected that the popular site Songlyrics.com (with approximately 200,000 daily page views and 2,000,000 unique visitors) is compromised and injected with obfuscated malicious code.
Websense customers are proactively protected against the malicious code by our Advanced Classification Engine - ACE
Once a user accesses the main page of the song lyrics site, injected code redirects to an exploit site loaded with the Crimepack exploit kit.
Attempted exploits result in a malicious binary (VT 39.5%) file that's run on the victim's computer. Once infected, the machine becomes another zombie-bot in the wild.
Deobfuscating this code reveals a redirection to the malicious payload site:
It is interesting to note that the malicious code injected on Songlyrics.com uses a similar obfuscation algorithm as Crimepack - a prepackaged commercial software used by attackers to deliver malicious Web-based code.
It appears that the majority of pages served by Songlyrics.com are compromised.
Crimepack has become one of the best selling exploit packs on the market due to its huge number of pre-compiled exploits offering a great base for the "drive-by-download & execute" business implication.