Trend Micro threat analysts were alerted to the discovery of several compromised websites inserted with a JavaScript. The JavaScript is detected by Trend Micro as JS_AGENT.AOEQ. When executed, JS_AGENT.AOEQ uses a defer attribute, which enables it to delay executing its routine, that is, redirecting the user to several malicious websites. This is done so users will not suspect that they are being infected already. In addition, this malicious JS is hosted on PHP servers. If a user visits an infected website, it will display a white screen. On the other hand, viewing the source code will yield the following obfuscated code:

Upon analysis, it was observed that the code (found on most infected sites) begins with /*GNUGPL*/try{window.onload=function(){var or /*CODE1*/ try{window.onload = function(){va.

According to the Unmask Parasites blog, the cybercriminals behind this attack incorporated certain legitimate sites’ names such as Google, Bing, and WordPress, among others, in their code to appear as a legitimate URL.

Trend Micro Smart Protection Network secures users from this attack by blocking all related malicious domains to prevent user access and, consequently, malware infection. It is, however, advisable for users to keep their systems up-to-date and for Web administrators to change their FTP credentials.

Erratum: The compromised websites are running on PHP servers.

Update as of January 5, 2010, 1:00 PM PST

According to security specialist, Noriaki Hayashi, since the redirections are controlled by the owners of the malicious Web servers, the final payload of the whole infection routine is that users are infected with either a FAKEAV variant (detected by Trend Micro as TROJ_FAKEAV.SMF) or a BREDOLAB variant (detected as TROJ_BREDLAB.SME).