Wednesday, February 13, 2008

Anti-Malware Vendor's Site Serving Malware

Even though AvSoft Technologies isn't really enjoying a large market share, making the impact of this malware coming out of their site even bigger, the irony is perhaps what truly matters in the situation. Some press coverage - Hackers Turn Antivirus Site Into Virus Spreader; Antivirus company's Web site downloads ... a virus; Hackers seed malware on Indian anti-virus site :


"Hackers planted malicious script on the site of an Indian anti-virus firm this week. The website of AVsoft Technologies was attacked by unidentified miscreants in order to distribute a variant of the Virut virus. AVsoft Technologies makes the SmartCOP antivirus package. One of the download pages of the site was boobytrapped with malicious code that used the infamous iFrame exploit to push copies of the Virut virus onto visiting unpatched (or poorly patched) Windows PCs."

The IFRAME at the site used to point to ntkrnlpa.info/rc/?i=1 (85.114.143.207) which also responds to zief.pl, where an obfuscation tries to server ntkrnlpa.info/rc/load.exe through the usual diverse set of exploits served by MPack.

Detection rate
: 17/32 (53.13%) for Win32.Virtob.BV; W32/Virut.j
File size: 8704 bytes
MD5: 31f8a31adfdff5557876a57ff1624caa
SHA1: 7f36e192030f7cbd8b47bd2cb9a60e9a3fe384d2

Naturally, according to publicly obtainable data in a typical OSINT style, the domain used to respond to an IP within RBN's previous infrastructure. The big picture is even more ugly as you can see in the attached screenshot indicating a huge number of different malwares that were using ntkrnlpa.info as a connection/communication host in the past and in the present. I wonder would the vendor brag about their outbreak response time regarding the malware that come out of their site in times when malware authors are waging polymorphic DoS attacks on vendors/reseachers honeyfarms to generate noise?