We have received a lot of positive feedback for our three-part paper on KOOBFACE (I, II, III) from all parts of the IT industry, but how the malware authors themselves have chimed in.

The KOOBFACE gang (who are attempting to make people believe that they are a legitimate company) have left a Christmas message on each of their infected hosts. Part of this message includes personal messages for several members of the security industry—ourselves included:

Trend Micro (http://trendmicro.com), especially personal thanks to Jonell Baltazar, Joey Costoya, and Ryan Flores, who had released a very cool document (with three parts!) describing all our mistakes we’ve ever made

This is not the first time cybercriminals have left messages for the security industry. In fact, we posted another blog entry on this last year.

Nice to see we are causing these groups some annoyance, something we definitely plan to continue in 2010.

Happy new year everyone!

Trend Micro threat analysts were alerted to the discovery of several compromised websites inserted with a JavaScript. The JavaScript is detected by Trend Micro as JS_AGENT.AOEQ. When executed, JS_AGENT.AOEQ uses a defer attribute, which enables it to delay executing its routine, that is, redirecting the user to several malicious websites. This is done so users will not suspect that they are being infected already. In addition, this malicious JS is hosted on PHP servers. If a user visits an infected website, it will display a white screen. On the other hand, viewing the source code will yield the following obfuscated code:

Upon analysis, it was observed that the code (found on most infected sites) begins with /*GNUGPL*/try{window.onload=function(){var or /*CODE1*/ try{window.onload = function(){va.

According to the Unmask Parasites blog, the cybercriminals behind this attack incorporated certain legitimate sites’ names such as Google, Bing, and WordPress, among others, in their code to appear as a legitimate URL.

Trend Micro Smart Protection Network secures users from this attack by blocking all related malicious domains to prevent user access and, consequently, malware infection. It is, however, advisable for users to keep their systems up-to-date and for Web administrators to change their FTP credentials.

Erratum: The compromised websites are running on PHP servers.

Update as of January 5, 2010, 1:00 PM PST

According to security specialist, Noriaki Hayashi, since the redirections are controlled by the owners of the malicious Web servers, the final payload of the whole infection routine is that users are infected with either a FAKEAV variant (detected by Trend Micro as TROJ_FAKEAV.SMF) or a BREDOLAB variant (detected as TROJ_BREDLAB.SME).