Beware of googleanalitics.net

Mass attacks on websites are common they usually take advantage of underlying vulnerabilities in the technology upon which multiple sites are built. My recent posts illustrate examples of mass web attacks. Here is another example of such an attack:

Screen-shot of Malicious JavaScript:

After analysing the JavaScript I identified the following items of interest:

Decoding the encoded JavaScript assigned to variable ‘mspoeae’, resulted in the following definition of function ‘jyho’, which is responsible for further decoding the JavaScript.

As you can see in the remaining code, this function takes the following input string:

The result of above execution ultimately decodes the following JavaScript:

This version of ‘Google Analytics’ is certainly not the one run by Google!!!!

A Google search for ‘http://www.googleanalitics.net/_utb.js’ will land you on various discussion forums driven by those affected by this malicious script. It appears that many sites have been affected with this malicious JavaScript, while we first spotted it at “carpediem.fr”.

Affected Webpage: http://support.carpediem.fr

Currently if you try visiting ‘http://www.googleanalitics.net/_utb.js you will be redirected to a porn site.

Screen-shot of http://www.googleanalitics.net/_utb.js

Make sure your site is using the genuine ‘Google Analytics’!!!

Pradeep