For the week of
24 Jan 2011
Threat
1
Wordpress JavaScript hack pushes FakeAV
Threat Name:
JS/ScrLd-C
Users at Risk:
Windows users
Also Known As:
- Avira: JS/Clicker.CA
- Kaspersky: Trojan-Clicker.JS.Agent.ma
- McAfee: JS/Wonka
- Microsoft: TrojanClicker:HTML/Iframe.J
- Trend Micro: JS_WONKA.SM
About:
JS/ScrLd-C is a generic detection for an obfuscated, malicious JavaScript injected into legitimate web pages.
The purpose of the injected script is redirection. The scripts load a second script from a remote command-and-control (C&C) server, and—based on those contents—attempts to redirect the visitor to a payload site. This enables the final payload site to be changed at the 1st level command-and-control without the need to change every hacked site. The referrer and keyword parameters are passed through from the injected site to allow the hackers to track how the victims arrive at the payload site.
JS/ScrLd-C is a general-purpose script used in web-based attacks, but has been mostly used by hackers who have broken into sites running Wordpress and are using it to redirect innocent users to sites selling fake anti-virus software.