WAMP is an all-in-one package that installs Apache, MySql, and PHP on a windows system. It's the lazy man's way of getting a web-server up and running in almost no time. However, I discovered today that they have injected javascript in their page that redirects users to exploits.
WAMP
WAMP's main page. Doesn't look suspicious on the outside.
Once you check their code, it is immediately apparent there is injected script at the bottom of the page.
It's the typical exploit pack injected code of course. All it really does is take the body of 'jibberish', remove the 'a' characters and replace them with commas. Then it multiplies all the numbers by 2 which gives you an array of whole numbers to which it String.fromCharCode()s into normal javascript. It throws in a bunch of other stuff just to make de-obfuscating a little harder. Or to make it look more legit? Pastebin for the full injected code is here
Deobfuscated
Of course that Iframe redirects me to some more bad code. Here's the pastebin for this code
Deobfuscated. Another layer of obfuscation. But it's just the Dean Edwards JS packer, so no big deal.
I haven't notified WAMPServer.com that their site is owned yet because I'm lazy. But this just goes to show that you can never tell what sites will get owned next. So keep your Flash, PDF, Java, and browsers up-to-date all the time.
Some domain information. This reminded me a lot of a SANs blog post I read about how these malware rings alter domain information for actual legit domains in order to capitalize on SEO and other things. Maybe I'm wrong.
A quick google search on some of this information and I found at least a couple more domains that have the injected code as well, ie: marijuanapictures.com
There are probably dozens/hundreds/etc.. of domains that got blasted and now have injected redirects.
