It has been a month since Sophos added detection for Troj/JSRedir-AK and figures generated today show that over 40% of all web-based detections have been from this malicious code.

[Graph shows Malware hosted on websites from 2009-12-22 11:00:00 to 2010-01-21 11:00:00 (GMT-8)]

Translating the numbers into a more human comprehensible form: 1 site every 15 secs was being detected as Troj/JSRedir-AK.

The affected sites include well-known names, including:

  • Energy Companies
  • Retail Companies
  • Automobile Club
  • Hotels

Using the JavaScript .replace the malware deobfuscates itself and dynamically writes an iframe point to a Russian website on port 8080 which serves up scripts detected as Troj/Iframe-DL.

This new script will write an iframe that will attempt to load a PDF (detected as Troj/PDFJs-FY) and a file claiming to be a JPG (detected as Exp/VidCtl-A). These then will install various other malware.

Troj/JSRedir-AK is a continuation of the Gumblar gang’s exploits using Russian domains instead of Chinese ones. In fact, the graph above is very similar to the one we saw for Troj/JSRedir-R and the infection mechanisms seem to be the same (i.e. FTP credentials).