In the overwhelming sea of information, access to timely, insightful and independent open-source intelligence (OSINT) analyses is crucial for maintaining the necessary situational awareness to stay on the top of emerging security threats. This blog covers trends and fads, tactics and strategies, intersecting with third-party research, speculations and real-time CYBERINT assessments, all packed with sarcastic attitude
Friday, September 28, 2007
Syrian Embassy in London Serving Malware
Which domains act as infection vectors?
sicil.info/forum/index.php and sicil.info/g/index.php (220.127.116.11) using patched vulnerabilities exploited in the usual MPack style :
function qtime_exploit function yahoo_e
0ki.ru/forum/index.php (18.104.22.168) where a WebAttacker launches several other exploits, and x12345.org/img/counter.php?out=1189360677 (22.214.171.124)
What are the malware authors trying to infect the visitors with?
Think malware authors were virtually satisfied to only have the visitors infected with the malware? Not at all. This is perhaps the first but definitely not the last time I see an embassy hosting pharmaceutical scam pages and ring tone ones. List of historically hosted scam pages :
The folks at ScanSafe contacted me to point out that they've discovered the malware at the Syrian embassy on the 12th of August providing us with more insights on how long the attackers had access to the embassy's site. In ScanSafe's example, different malicious URLs (miron555.org/s/index.php) were rotated compared to the ones used during 21/24 of September. And given the embassy's site states it was last updated in 2005, cleaning it up and ensuring the attackers no longer have access to it may take a while.