Senior Malware Analyst James Dee found a fake domain that claimed it has anything to do with Skype vouchers. This voucher, which is a form of Skype Credit, has been around for quite some time so it already has an amount of prominence with 663M* Skype users. Anyway, the website is skypevouchers(dot)com.
Take note of the misleading title that comes with a questionable Iframe tag on the code. The domain, manjakuhappy.com, as it turned out is a legitimate Malaysian baby wear site that was injected with a malicious PHP code, which was contact.php. The script is no longer there as of this writing-
-but we were able to retrieve it for analysis. Here’s what it looked like:
After deobfuscating, analyzing the code, and following more URL trails, we finally end up with URLs, on which both as hosted on 95(dot)163(dot)67(dot)189, that house a malicious Java exploit on each:
- Java Exploit 1:
MD5: d3f933524c85c96a76f7ffd516d335c0
Website: halloffam(dot)bee(dot)pl/showthread.php?t=83475
Detection ratio: 5 / 43
- Java Exploit 2:
MD5: 58db6e6e25d9b8e4742f2ef9b43c3818
Website: themettco(dot)bee(dot)pl/showthread.php?t=49281
Detection ratio: 10 / 43
Both Java exploits take advantage of the vulnerability in the Java Runtime Environment (JRE) component in Oracle. More about CVE-2011-3544 here.
I did a bit of digging around and I found out that skypevouchers(dot)com has been around since 2006, registered by someone in Estonia. It doesn’t have much of a “landing page” now since it mostly does redirects, but if you’re interested on what it looked like six years ago, here it is:
Be careful when searching the Web for free Skype vouchers. You might land on places with things you’re less than willing to bargain for.
Jovi Umawing (Thanks to James)
* Statistic as of March 2011
Leave a reply