The Websense ThreatSeeker Network has detected that the website hxxp://goeast(dot)wagamama(dot)com, associated with Wagamama (a Japanese and sushi restaurant chain), has been compromised and injected with malicious code, also known as a RunForestRun attack.
RunForestRun attack exploits vulnerability in Parallels Plesk to obtain user account credentials, then compromised accounts are used to modify JavaScript files. As shown below, modification consists of obfuscated script. When this script is run, it deobfuscates to an iframe with pseudo-random generated URLs(in this case based on date and time). The resulting malicious URL will lead the user to a well-known and widely used tool in an underground community – Blackhole Exploit Kit.
Websense customers are protected from this threat with ACE, our Advanced Classification Engine.
Image 1: The site is injected with code which redirects to a .js file with obfuscated code.
Image 2: The /global.js java script file on goeast.wagamama.com includes injected code (marked with red).
When a visitor goes to the site, injected script deobfuscates into an iframe with a peudo-random URL, based on the date and time. The visitor is automatically redirected to a malicious site, which is currently down.
Image 3: The obfuscated script injected into the /global.js file looks like this.
Image 4: The injected code translates to an iframe that redirects to an exploit site without user interaction.
Image 5: The randomly generated URL from October 1, listed in http://pastebin.com/iZWFrDPC (lsvdxjpwykxxvryd(dot)ru // Mon Oct 01 2012 01:00:00. entry 195).
Fortunately, this type of attack was discovered some time ago, so the generated URLs are proactively blocked.
Leave a reply
