We came across an interesting and widespread campaign, which infects computers by drive-by-download. The technique seems to be simple but sneaky: The attackers intrude into a web server and infect the content of the locally stored 404 error page. In the detected examples, the web pages had no designated Favicon.ico, but the web browser routinely asks for one. The consequence: The server transmits the 404 error page to the browser, including the infected script.
Screenshot 1: G Data Favicons, displayed in the address bar and the tab
The infection
The exploit begins as soon as the browser opens the 404 error page. It is redirected to another server by scripts in an implemented and infected IFRAME. G Data products become active at this point already and block this redirection!
All of the cases registered by G Data were infected by the same attackers and redirected to gowlave.cn, but the attackers change the servers at irregular intervals. Other servers with the top level domains .cn and .in, were involved already.
The payload, an attack kit, lies on dedicated servers, ready to be downloaded. The kit includes, among other things, a malicious PDF. When this PDF is opened in the browser, it downloads scareware onto the victim’s computer. Microsoft Office Snapshot Viewer and Microsoft Office Web Components are attacked as well. Furthermore the Trojan Horse Goolbot (Win32:Scar-H) is downloaded to perform backdoor activities. The attackers exchange the executable file for new and different version from time to time, in order to avoid detection.
Infected examples
The scammers are looking for (more or less) popular websites to increase the infection radius. Recently, G Data products alert very often. Examples are:
- coolio.com, the American musician’s homepage
- h-s-m.org, an unofficial webpage for Disney’s “High School Musical”
- A famous German sport portal
- Mario Bofill, an Argentine folk singer
- Anil Kapoor, the game show host in “Slumdog Millionaire”
In the case of the German sport portal, which suffered temporarily from these 404 error page infections, the infection was implemented into an advertisement.