JS/PackRedir.C!tr.dldr

Alias/esTrojan-Downloader.JS.Gumblar.x (Kaspersky)
Release DateNov 20, 2009
Detection Availability
Active DatabaseExtended Database
FortiGatelowhigh
FortiClient
FortiMailN/A
Current Antivirus Definition Database Version: 12.338
Description

Visible Symptoms

  • Redirects the browser to malicious websites.
  • Malicious files may be downloaded.

Detailed Analysis


This detection is for an obfuscated script that is injected to compromise websites via cross-site scripting. The malicious URL is encoded in the script.

When internet users visit infected websites, the injected script redirects the web browser to the malicious website that is hosting other malicious downloadable components such as malicious PDF and SWF files. These files contain exploits which eventually download a malicious Win32 executable.

The behavior of this trojan is very similar to JS/Redir.MR!tr.


Technical Details


The obfuscation technique varies from different infections, but mostly decodes to the same format of malicious URL.

The second stage occurs when internet users visit infected websites. The injected script has several layers of obfuscation. After these layers the payload tries to identify the vulnerable components of the browser and exploits them.

The content of the malicious script depends on the infected user's OS (Windows, Linux) and web browser version (IE6, IE7, Firefox, Safari). The vulnerabilities exploited include the following:
  • Adobe Reader/Adobe Acrobat (APSB09-04/CVE-2009-0927)
    Some of these scripts try to load a malicious PDF based on the presence of the ActiveX plugins related to "PDF.PdfCtrl" or "AcroPDF.PDF" and to their versions.

  • Adobe Flash Player (APSB08-11/CVE-2007-0071)
    A Flash exploit is used via the presence of the "ShockwaveFlash.ShockwaveFlash.9" (Shockwave Flash) plugin. Here, the version is also checked.

  • Microsoft Internet Explorer 7 (MS09-002/CVE-2009-0075)
    Beside the exploits above, an IE7 vulnerability is also exploited.

  • Microsoft Web Components (MS09-043/CVE-2009-1136)
    Microsoft Office Web Components are also targeted.

    • All these exploits are used to download a malicious Win32 executable and run it on the targeted computer.
Some reports indicate that this malware may also redirect Google search results.

Description Last Updated Date: Dec 08, 2009
Reference: ID - 1130461