This is perhaps my most important discovery of malware embedded sites farm in a while, at least in respect to the potential impact it is currently having on the unprotected visitors browsing the sites of Possibility Media's portfolio of online magazines, which are pretty weird content by themselves. Possibility Media's (now owned by GM Media Worldwide Inc.) 24 online publications are currently serving embedded malware in the form of IFRAMEs on each and every domain, a logical development given they're all hosted on a single server (216.251.43.11). The affected domains include the following e-zines :
networkweekmag.com - Network Week Magazineportablecomputingmag.com - Portable Computing Magazine
businesscomputingmagazine.com - Business Computing Magazine
communicationsworldmag.com - Communications World Magazine
spweekly.com - Service Provider Weekly
webweekmag.com - Web Week Magazine
pcnewsweeklymag.com - PC News Weekly
itweekmagazine.com - IT Week Magazine
communicationsweekmag.com - Communication Week Magazine
ipworldmag.com - IP World Magazine
networkweekmag.com - Network Week Magazine
thebestpcmag.com - The Best PC
technologyweekmag.com - Technology Week Magazine
theinternetstandardmag.com - The Internet Standard
securitystandardmag.com - Security Standard
theitstandard.com - The IT Standard
hostingweekmag.com - Hosting Week
enterpriseweekmag.com - Enterprise Week
computernewsmagazine.com - Computer News
theinternetstandardmag.com - The Internet Standard
ceweekmag.com - CE Week Magazine
ebusinessmag.com - Ebusiness Magazine
healthcareitmagazine.com - Health Care IT Magazine
serviceprovidermagazine.com - Service Provider Magazine
Deobfuscating the obfuscated javascripts, we see that the first IFRAME points to : lilohost.hk/cgi/index.php ; lilohost.hk/cgi/indexx.php ; lilohost.hk/cgi/tdss/index.php?out=1192369270 ; and lilohost.hk/cgi/indexx.php - where we get the actual malware under the umbrella of a typical WebAttacker obfuscation. The main index of the domain includes links to pharmaceuticals, making it an interesting on in a combination with embedded malware.
The second IFRAME points to 208.72.168.176/e-Sr1pt2210/index.php where we're greeted with the following message "asdfasdfIt works!" and a piece of Trojan.Srizbi.
Detection rate : Result: 8/31 (25.81%)
File size: 113152 bytes
MD5: a4733e1901653da7086930588d699c85
SHA1: 3e65be5e54b893cddf8f5f9bec2591425d49579a
It gets even more interesting with the following domains returning the same message within their indexes, and also hosted at the second IFRAME-ing IP - 208.72.168.176. Possibility Media's vision states "New Media Making The Difference!" Indeed.Related posts:
No comments:
Post a Comment