Tuesday, November 06, 2007

I See Alive IFRAMEs Everywhere

During the weekend, the entire Newsland.ru which is among the most popular Russian news portals, was marked as as "this site may harm your computer" by StopBadware.org due to an IFRAME embedded link pointing to where else if not to the RBN. Considering that each and every embedded malware attack during 2007 that I assessed in previous posts, had something to do with the RBN in the form of a single RBN IP which was used in numerous malicious activities all at once, different sites get embedded with it, blackhat SEO postings at different forums etc. in this one the parties behind the attack dedicated a special IP with what looks like as a clean IP reputation. A cached copy of the page will still load the live exploit url at What really happened at Newsland.ru? Was it an end user who submitted a news story with the somehow embedded IFRAME to sort of conduct unethical competitive engagement by having Google mark the entire portal as harmful, or it was planned and executed on purposely?

In another such incident, Podfeed.net was recently hacked and malware embedded at its front page. The now clean site however, used to have an embedded link, over 20 times to be precise, pointing to the following URL :

yl18.net/0.js ( with the .js having two IFRAMEs within, namely yl18.net/0.html - 404 dead, and the second IFRAME yl18.net/z.html which loads a third IFRAME within, pointing to yzgames.cn/game.htm ( This IFRAME-ing game relies entirely on yl18.net/0.js to keep up and running, and a direct loading link to the script was also somehow embedded on high trafficked sites such as cincinnatiusa.com; cincinnati.com; guidance.nice.org.uk. Moreover, Maarten Van Horenbeeck at the ISC's blog has some detection rates while the malware was still active. This embedded malware campaign is a perfect example of an ongoing cover up, just like the case when several hours after the community started looking at the Bank of India's malware serving site and the RBN URL removed the javascript and redirected it to Google.com, and we had the same situation with the recent discovery of 100 malwares on a single RBN IP, where the directory name has changed several hours later for yet another time. The same is the situation withe the malicious parties behind Possibility Media's malware attack that once started getting visited by security vendors replaced all their main index page with a "get lost" message, as well as with RBN's fake "account suspended" messages which aren't really in a process of cover up, but in a deception stage like always.

While I was researching a third domain that was serving a Banking trojan, and loading IFRAMEs to sicil.info which in case you don't remember is the IFRAME behind the Syrian Embassy hack, I came across to injected blackhat SEO campaigns at two universities advertised in between the IFRAMEs, now removed, cached copies available - emissary.wm.edu/EE/cache; hsutx.edu/student_life/brand/wp-content/uploads. The reason I won't mention the domain in question is that the script kiddies behind it forgot to take care of their directory permissions just like the Russian Business Network did recently, and while in RBN's case over 100 malwares were spotted, in this case it's a web C&C for a metaphisher type of banking malware kit, namely Zeus. It gets even more interesting, as it appears that a Turkish defacer like the ones I blogged about yesterday is somehow connected with the group behind the recent Possibility Media's Attack, and the Syrian Embassy Hack as some of his IFRAMES are using the exact urls in the previous attacks. And you you already know while reading my previous assessments and the connections between them, one of the attack IP's in the Possibility Media's malware attack was also among the ones used in the Bank of India hack - it's the "ai siktir vee?" group with another unique IP.

Key points :

- a Turkish defacer is taking advantage of an remotely installed web backdoor in order to host a metaphisher type of banking malware kit
- the defacer is embedding iframes that were used in the Bank of India hack, the Syrian Embassy hack, and the recent Possibility Media's malware attack
- if defacers start cooperating with malware groups given each of them excels at different practices, it's gonna get very ugly

If you don't take care of your site's web vulnerability management, someone else will.

No comments:

Post a Comment