Monday, November 19, 2007
Another Massive Embedded Malware Attack
Compared to the previous massive malware embedded attack in Italy that I asessed in June, 2007 which was primarily relying on the fact that a shared hosting provider got hacked into, this one is more interesting to follow because the domains have nothing to do with each other, in fact some are suspected of being generated for blackhat SEO purposes in combination with embedded malware. The rest are legitimate sites. Moreover, the campaign is currently in a cover up stage, but the sites are still serving the IFRAME you can see in the attached screenshot. Currently affected sites where over 90% still have the IFRAME within :
The main campaign IFRAME URL is megazo.org/trans.htm serving TR/Crypt.XPACK.Gen and using its own nameservers ns1.megazo.org (188.8.131.52) and ns2.megazo.org (184.108.40.206) which is also hosting 13fr.info; 1sense.info; 1speed.info. Deobfuscation leads to 1spice.info/t/ (220.127.116.11) where we're redirected to 18.104.22.168/cgi-bin/new/in.cgi?p=user4, both URLs try to exploit MDAC ActiveX code execution (CVE-2006-0003) vulnerability. Another exploit URL is also active at this IP - 22.214.171.124/web/index.php which is Icepack is action.
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me firstname.lastname@example.org