Monday, November 19, 2007

Another Massive Embedded Malware Attack

Compared to the previous massive malware embedded attack in Italy that I asessed in June, 2007 which was primarily relying on the fact that a shared hosting provider got hacked into, this one is more interesting to follow because the domains have nothing to do with each other, in fact some are suspected of being generated for blackhat SEO purposes in combination with embedded malware. The rest are legitimate sites. Moreover, the campaign is currently in a cover up stage, but the sites are still serving the IFRAME you can see in the attached screenshot. Currently affected sites where over 90% still have the IFRAME within :

syncopatedvideo.com
ja-bob.com
idledrawings.com
biblequizzer.net
johnnydam.com
gonaus.com
caribbeanjamz.net
campbellscollision.com
instopiainsurance.com
electronicesthetics.com
blackopalproductions.com
loadway.com
mtwashingtonkennelclub.com
shoveltown.com
simplabase.com
ajrivers.com
jacquelinesdayspa.com
epidemianet.com
aabosa.net
bisign.com
orangevaleson.com
blackmanassociates.com
jumarktrade.com
queerduck.icebox.com

The main campaign IFRAME URL is megazo.org/trans.htm serving TR/Crypt.XPACK.Gen and using its own nameservers ns1.megazo.org (203.117.111.102) and ns2.megazo.org (203.117.111.103) which is also hosting 13fr.info; 1sense.info; 1speed.info. Deobfuscation leads to 1spice.info/t/ (203.121.79.164) where we're redirected to 203.121.79.164/cgi-bin/new/in.cgi?p=user4, both URLs try to exploit MDAC ActiveX code execution (CVE-2006-0003) vulnerability. Another exploit URL is also active at this IP - 203.121.79.164/web/index.php which is Icepack is action.

Related posts: