The Register reports that the Royal Netherlands Embassy in Moscow was serving malware to its visitors at the beginning of last week :
"Earlier this week, the site for the Netherlands Embassy in Russia was caught serving a script that tried to dupe people into installing software that made their machines part of a botnet, according to Ofer Elzam, director of product management for eSafe, a business unit of Aladdin that blocks malicious web content from its customers' networks."
Let's be a little more descriptive. The only IP that was included in the IFRAME was 68.178.194.64/tab.php which was then forwarding to 68.178.194.64/w/wtsin.cgi?s=z. ip-68-178-194-64.ip.secureserver.net (also responding to lmifsp.com and foxbayrental.com) has been down as of 22 Jan 2008 18:56:38 GMT, but apparantly it was also used in several other malware embedded attacks. For instance, the IFRAME is currently active at restorants.ru. The secondary IFRAME is a redirector script in a traffic management script that can load several different URLs, to both, generate fake visits to certain sites that are paying for this, and a live exploit URL as it happens in between.
Historical preservation of actionable intelligence on who's what and what's when is a necessity. Here are for instance two far more in-depth assessments given the exploits URLs were still alive back then, discussing the malware embedded at the sites of the U.S Consulate in St. Petersburg, and the Syrian Embassy in the U.K.
Related posts:
MDAC ActiveX Code Execution Exploit Still in the Wild
Malware Serving Exploits Embedded Sites as Usual
Massive RealPlayer Exploit Embedded Attack
A Portfolio of Malware Embedded Magazines
The New Media Malware Gang
The New Media Malware Gang - Part Two
Another Massive Embedded Malware Attack
I See Alive IFRAMEs Everywhere
I See Alive IFRAMEs Everywhere - Part Two
Have Your Malware in a Timely Fashion
Cached Malware Embedded Sites
Compromised Sites Serving Malware and Spam
Malware Serving Online Casinos
No comments:
Post a Comment