Thursday, October 25, 2007

A Portfolio of Malware Embedded Magazines

This is perhaps my most important discovery of malware embedded sites farm in a while, at least in respect to the potential impact it is currently having on the unprotected visitors browsing the sites of Possibility Media's portfolio of online magazines, which are pretty weird content by themselves. Possibility Media's (now owned by GM Media Worldwide Inc.) 24 online publications are currently serving embedded malware in the form of IFRAMEs on each and every domain, a logical development given they're all hosted on a single server ( The affected domains include the following e-zines : - Network Week Magazine - Portable Computing Magazine - Business Computing Magazine - Communications World Magazine - Service Provider Weekly - Web Week Magazine - PC News Weekly - IT Week Magazine - Communication Week Magazine - IP World Magazine - Network Week Magazine - The Best PC - Technology Week Magazine - The Internet Standard - Security Standard - The IT Standard - Hosting Week - Enterprise Week - Computer News - The Internet Standard - CE Week Magazine - Ebusiness Magazine - Health Care IT Magazine - Service Provider Magazine

Deobfuscating the obfuscated javascripts, we see that the first IFRAME points to : ; ; ; and - where we get the actual malware under the umbrella of a typical WebAttacker obfuscation. The main index of the domain includes links to pharmaceuticals, making it an interesting on in a combination with embedded malware.

The second IFRAME points to where we're greeted with the following message "asdfasdfIt works!" and a piece of Trojan.Srizbi.

Detection rate : Result: 8/31 (25.81%)
File size: 113152 bytes
MD5: a4733e1901653da7086930588d699c85
SHA1: 3e65be5e54b893cddf8f5f9bec2591425d49579a

It gets even more interesting with the following domains returning the same message within their indexes, and also hosted at the second IFRAME-ing IP - Possibility Media's vision states "New Media Making The Difference!" Indeed.

Related posts: