The Pseudo "Real Players"

What happened with the recent RealPlayer massive embedded malware attack? Two of the main hosts are now, and the third one ucmal.com/0.js is strangely loading an iframe to ISC's blog in between the following 61.188.39.218/pingback.txt which was returning the following message during the last couple of hours "You're welcome for being saved from near infection".

As I'm sure others too like to analyze post incident response behavior of the malicious parties, in respect to this particular attack, during the weekend they took advantage of what's now a patent of the Russian Business Network, namely to serve a fake 404 error message but continue the campaign. However, in RBN's case, only the indexes were serving the fake account suspended messages, but the campaign was still active on the rest of the internal pages. In the RealPlayer's campaign case, the 404 error messages themselves were embedded with the same IFRAMEs as well, in order to make it look like there's an error, at least in front of the eyes of the average Internet user.

Despite that the main campaign domains are blocked on a worldwide scale, the hundreds of thousands of sites that originally participated are still not clean and continue trying to load the now down domains. Moreover, the big picture has to do with a fourth domain as well, yl18.net/0.js, that used to be a part of the same type of massive malware embedded attack in November, 2007.

Why pseudo "real players" anyway? Because for this attack, they took advantage of what can be defined as a fad, namely the use seperate exploit as the cornerstone of the campaign, at least if its massive infection they wanted to achieve. The "real players" or script kiddies on the majority of occasions, serve exploits on a client-side matching basis, and therefore the more diverse the exploits set, the higher the probability a vulnerable application will be detected and exploited. Therefore, given the number of sites affected it could have been much worse than it is currently based on speculations of the success rate of the campaign in terms of infections, not the sites affected - a success by itself. Execution gone wrong given the foundation for the attack - until the next time.