Monday, April 4, 2011

Worldfest, Houston website compromised before the start of the event

Today, one of our blog readers, Mr. Steve Kennedy posted a comment saying his antivirus alerted on “http://www.worldfest.com”. It appeared to be related to the Blackhole exploit kit, which I’d discussed in a previous blog post. This site turns out to be the official website for the Houston International Film Festival. The 44th annual WorldFest event will be held from April 8 to 17, 2011. Here is the screenshot of the home page:

The malicious JavaScript code is injected at the bottom of the main page as can been seen in the attached screenshot:

The malicious JavaScript is heavily obfuscated to evade detection. A decoded version of the JavaScript contains code that looks legitimate at first glance. A malicious iframe is then inserted in the middle of this decoded content. Here is the screenshot:

Unfortunately, for this blog we were unable to retrieve any malicious contents because the iframed site simply redirects to Google. This may be due to the fact that the attackers have crafted the page to only deliver the payload if certain conditions have been met (i.e. correct user agent, particular geography, etc.), however, despite various approaches, we were unable to retrieve malicious content from the page. Here is the packet capture of the redirect:

The website sets a cookie and redirects to Google. This cookie may be used by the attacker to track previous victims in order to ensure that the payload is only delivered one time. This is another common technique to keep the attack under the radar. This site was registered on 30th March 2011 in Ukraine. Here is the whois lookup,

A Google for the query “WorldFest Houston 2011” returns this infected site as the first search result, as shown below:

Attackers often try to target popular events and the WorldFest is a valuable target with the event beginning on April 8th. This site will surely get plenty of traffic given that this is a popular film festival. We have informed the webmaster of the infection and will continue to monitor the site.

Happy Film Festival!

Umesh

2 comments:

Umesh Wanve said...

The Guys were quick from WorldFest. They removed the bad code now.

Jon said...

Found one of these the other day too in a Pit BBQ restaurant's website:

www[dot]thepit-raleigh[dot]com

Injected right at the bottom of their main page, and seems to have the same obfuscation as your example. I let them know to remove it. Pretty slick stuff