Tuesday, November 27, 2007

I See Alive IFRAMEs Everywhere - Part Two

The never ending IFRAME-ing of relatively popular or niche domains whose popularity is attracting loyal and well segmented audience, never ends. Which leads us to part two of this series uncovering such domains and tracing back the malicious campaign to the very end of it. Some of these are still IFRAME-ed, others cleaned the IFRAMEs despite Google's warning indicating they're still harmful, the point is that all of these are connected.

Affected sites :

Epilepsie France - epilepsie-france.org
Iran Art News - iranartnews.com
The Media Women Forum - yfmf.org
Le Bowling en France - bowling-france.fr
The Hong Kong Physiotherapists Union - hkpu.org
The Wireless LAN Community - wlan.org
The First HELLENIC Linux Distribution - zeuslinux.gr

The entire campaign is orbiting around pornopervoi.com, which was last responding to 81.177.3.225, an IP that's also known to be hosting a fake bank (weiterweg-intl.com) according to Artists Against 419. Within the domain, there were small files loading a second IFRAME. For instance, pornopervoi.com/u.php leads to 88.255.94.246/freehost1/georg/index.php?id=0290 (WebAttacker), the same campaign is also active at 81.29.241.238/freehost1/georg/index.php?id=0290, these try to drop the following :

88.255.94.246/freehost1/chris0039/lu/dm_0039.exe
81.29.241.238/freehost1/chris0031/lu/dm_0031.exe

An Apophis C&C panel was located in this ecosystem as well. Among the other files at pornopervoi.com, are pornopervoi.com/i.php where we're redirected to the second one spelredeadread.com/in.php?adv=678. Even more interesting, energy.org.ru a Web hosting provider is also embedded with pornopervoi.com/m.php again forwarding to spelredeadread.com. To further expand this ecosystem, yfmf.org the Media Women Forum is also IFRAME-ed with a link pointing to pornopervoi.com/m.php. Another site that's also pointing to pornopervoi.com/m.php is the Hong Kong Physiotherapists Union hkpu.org. Two more sites serving malware, namely wlan.org, the Wireless LAN Community also pointing to pornopervoi.com/m.php, and zeuslinux.gr, The First HELLENIC Linux Distribution.

Who's behind this malware embedded attack? It's the ongoing consolidation between defacers, malware authors, and blackhat SEO-ers using the infamous infrastructure of the RBN.

Related posts:
Bank of India Serving Malware
U.S Consulate in St.Petersburg Serving Malware
Syrian Embassy in London Serving Malware
CISRT Serving Malware
Compromised Sites Serving Malware and Spam
A Portfolio of Malware Embedded Magazines
Possibility Media's Malware Fiasco
The "New Media" Malware Gang
Another Massive Embedded Malware Attack

No comments:

Post a Comment