Syrian Embassy in London Serving Malware

After Bank of India was serving malware in August, next to the U.S Consulate in St.Petersburg two days later in September, now the Syrian Embassy in London is the latest victim of a popular malware embedding attack which took place between the 21st and 24th of September. As obfuscating the IFRAMEs in order to make it harder for a security researcher to conduct CYBERINT is about to become a commodity with the feature implemented within the now commoditized malware kits, it's interesting to note that in this particular attack the attackers took advantage of different javascript obfuscations, and that once control of the domain was obtained, scam pages were uploaded on the embassy's server. The embassy had recently removed the malicious IFRAMEs, but the third one remains active acting as a counter for the malicious campaign.

Which domains act as infection vectors?

sicil.info/forum/index.php and sicil.info/g/index.php (203.121.79.71) using patched vulnerabilities exploited in the usual MPack style :

function setslice_exploit

function vml_exploit

function firefox_exploit

function firefox1_exploit

function wmplayer_exploit

function qtime_exploit
function yahoo_e

function winzip_exploit

function flash_exploit

function w2k_ex

0ki.ru/forum/index.php (80.91.191.224) where a WebAttacker launches several other exploits, and x12345.org/img/counter.php?out=1189360677 (66.36.243.97)

What are the malware authors trying to infect the visitors with?

A Banker Trojan with a low detection rate :

BitDefender 2007.09.28 BehavesLike:Win32.ProcessHijack

Ikarus 2007.09.28 Trojan.Delf.NEB

Microsoft 2007.09.28 PWS:Win32/Ldpinch.gen

Symantec 2007.09.28 Infostealer.Banker.C

98shd3.exe

File size: 65024 bytes

MD5: ef98a662c72e3227d5c4bb3465133040

SHA1: e5b9b216d77de977848f8791850c726b45fc18c2

Think malware authors were virtually satisfied to only have the visitors infected with the malware? Not at all. This is perhaps the first but definitely not the last time I see an embassy hosting pharmaceutical scam pages and ring tone ones. List of historically hosted scam pages :

syrianembassy.co.uk/news/lv/levitra-vs-viagra.htm

syrianembassy.co.uk/news/lv/buy-levitra.htm

syrianembassy.co.uk/news/rn/michael-jackson-ringtone.htm

syrianembassy.co.uk/news/xa/cheap-discount.htm-group.com-herbal-xanax-xnx.htm
syrianembassy.co.uk/news/rn/free-mp3-ringtone-maker.htm

syrianembassy.co.uk/news/xa/buy-site-xanax.htm

syrianembassy.co.uk/news/ph/37-5mg-phentermine.htm

UPDATE :

The folks at ScanSafe contacted me to point out that they've discovered the malware at the Syrian embassy on the 12th of August providing us with more insights on how long the attackers had access to the embassy's site. In ScanSafe's example, different malicious URLs (miron555.org/s/index.php) were rotated compared to the ones used during 21/24 of September. And given the embassy's site states it was last updated in 2005, cleaning it up and ensuring the attackers no longer have access to it may take a while.