This application requires Javascript for optimal performance.

JS/PackRedir.C!tr.dldr - Released Nov 20, 2009 - Last Updated Dec 08, 2009

Alias/es

Trojan-Downloader.JS.Gumblar.x (Kaspersky)

Detection Availability

Active DatabaseExtended Database
FortiGate
low
high
FortiClient
FortiMail N/A

Visible Symptoms

  • Redirects the browser to malicious websites.
  • Malicious files may be downloaded.

Detailed Analysis


This detection is for an obfuscated script that is injected to compromise websites via cross-site scripting. The malicious URL is encoded in the script.

When internet users visit infected websites, the injected script redirects the web browser to the malicious website that is hosting other malicious downloadable components such as malicious PDF and SWF files. These files contain exploits which eventually download a malicious Win32 executable.

The behavior of this trojan is very similar to JS/Redir.MR!tr.


Technical Details


The obfuscation technique varies from different infections, but mostly decodes to the same format of malicious URL.

The second stage occurs when internet users visit infected websites. The injected script has several layers of obfuscation. After these layers the payload tries to identify the vulnerable components of the browser and exploits them.

The content of the malicious script depends on the infected user's OS (Windows, Linux) and web browser version (IE6, IE7, Firefox, Safari). The vulnerabilities exploited include the following:
  • Adobe Reader/Adobe Acrobat (APSB09-04/CVE-2009-0927)
    Some of these scripts try to load a malicious PDF based on the presence of the ActiveX plugins related to "PDF.PdfCtrl" or "AcroPDF.PDF" and to their versions.

  • Adobe Flash Player (APSB08-11/CVE-2007-0071)
    A Flash exploit is used via the presence of the "ShockwaveFlash.ShockwaveFlash.9" (Shockwave Flash) plugin. Here, the version is also checked.

  • Microsoft Internet Explorer 7 (MS09-002/CVE-2009-0075)
    Beside the exploits above, an IE7 vulnerability is also exploited.

  • Microsoft Web Components (MS09-043/CVE-2009-1136)
    Microsoft Office Web Components are also targeted.

    • All these exploits are used to download a malicious Win32 executable and run it on the targeted computer.
Some reports indicate that this malware may also redirect Google search results.

Recommended Action

    Patch

  • It is advisable to update patches for the affected vulnerabilities.

    FortiGate Systems

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.

    FortiClient Systems

  • Quarantine/delete files that are detected and replace infected files with clean backup copies.


Reference: ID - 1130461