The "window of opportunity" for traffic acquisition by taking advantage of a huge anticipated traffic is something malicious parties always find adaptive ways to take advantage of. Back in December, 2007, the same event based malware embedded attack appeared at a French government's site covering France/Libya relations right in the middle of Libya's leader visit in the country. My detailed analysis back then revealed details of the usual RBN connection, with IFRAME hosts switchng between HostFresh, Ukrtelegroup Ltd, and Turkey Abdallah Internet Hizmetleri, to surprisingly end up to the New Media Malware Gang original IP, futher confirming the existence of what's now a diverse ecosystem.The same timely malware embedded attack happened at the top of the Annual Weblog Awards site - The Bloggies as TrendMicro assessed on Monday :
"The Web site of the Annual Weblogs Awards — more informally known as the Bloggies — was hacked recently, serving up a malicious Javascript to its visitors. This happened on the eve of the award ceremony, as reported in NEWS.com.au."
An embedded malware screenshot is worth a thousand words, so here it goes attached, and IcePack's now easily detectable module :
Scanner results : 47% Scanner(17/36) found malware!
File Size : 10666 byte
MD5 : 0860a1f5f1b27db14fedbfc979399fa4
SHA1 : 81c4ca763850fd3d675a0955ee6885ce83db53a5
HTML/Psyme.Gen; Trojan-Downloader.JS.Agent.et
Moreover, wilicenwww.biz/1/1/ice-pack/index.php is currently responding to 202.75.38.150, and besides the descriptive IcePack host, the IP also responds to the following domains :
bigsavingpharmacy.com
infosecurestatus.com
pharmacysuperdiscount.com
rspectrum.name
sicil.info
sicil256.info
superdiscountpills.com
mydnsweb.net
thegogosearch.com
So what? Historical CYBERINT untimately improves your situational awareness. Sicil.info was the main domain behind the Syrian Embassy in the U.K malware embedded attack. Back then, sicil.info was responding to 203.121.79.71, and now to 202.75.38.150, switching locations doesn't mean a clean domain reputation anyway.
No comments:
Post a Comment