Last week's massive IFRAME injection attack is slowly turning into a what looks like a large scale web application vulnerabilities audit of high profile sites. Following the timely news coverage, Symantec's rating for the attack as medium risk, StopBadware commenting on XP Antivirus 2008, and US-CERT issuing a warning about the incident, after another week of monitoring the campaign and the type of latest malware and sites targeted, the campaign is still up and running, poisoning what looks like over a million search queries with loadable IFRAMES, whose loading state entirely relies on the site's web application security practices - or the lack of.
What has changed since the last time? The number and importance of the sites has increased, Google is to what looks like filtering the search results despite that the malicious parties may have successfully injected the IFRAMEs already, thus trying to undermine the campaign, new malware and fake codecs are introduced under new domain names, and a couple of newly introduced domains within the IFRAMES themselves.
Keep it Simple Stupid for the sake efficiency is what makes the campaign relatively easy to track once you understand the importance of hot leads, and real-time assessments for the purpose of setting the foundation for someone else's upcoming piece of the puzzle in an OSINT manner. The main IPs within the IFRAMES acting as redirection points to the newly introduced rogue software and malware, remain the same, and are still active. The very latest high profile sites successfully injected with IFRAMES forwarding to the rogue security software and Zlob malware variants :
72.232.39.252NetRange: 72.232.0.0 - 72.233.127.255
CIDR: 72.232.0.0/16, 72.233.0.0/17
NetName: LAYERED-TECH-
NetHandle: NET-72-232-0-0-1
Parent: NET-72-0-0-0-0
NetType: Direct Allocation
NetType: Direct Allocation
NameServer: NS1.LAYEREDTECH.COM
NameServer: NS2.LAYEREDTECH.COM
Comment: abuse@layeredtech.com
195.225.178.21route: 195.225.176.0/22
descr: NETCATHOST (full block)
mnt-routes: WZNET-MNT
mnt-routes: NETCATHOST-MNT
origin: AS31159
notify: vs@netcathost.com
remarks: Abuse contacts: abuse@netcathost.com
89.149.243.201netname: NETDIRECT-NET
remarks: INFRA-AW
admin-c: WW200-RIPEremarks: INFRA-AW
tech-c: SR614-RIPE
changed: technik@netdirekt.de 20070619
changed: technik@netdirekt.de 20070619
89.149.220.85netname: NETDIRECT-NET
remarks: INFRA-AWadmin-c: WW200-RIPE
tech-c: SR614-RIPEchanged: technik@netdirekt.de 20070619
Newly introduced malware serving domains upon loading the IFRAMES :
mynudedirect.com/3/5144 (216.255.186.107) loads mynudenetwork.com/flash2/?aff=5144 (85.255.120.203) which attempts to load mynudenetwork.com/load.php?aff=5144&saff=0&sid=3 where the malware is attempting to load upon accepting the ActiveX object :
Suspicious:W32/Malware!Gemini; W32/BHO.BVW
File size: 107536 bytesMD5: e50f2c9874a128d4c15e72d26c78352c
SHA1: 91f8a0e2531ea63ce22d0c7f90e7366a78ebeb8aMoreover gift-vip.net/images/index1.php (195.225.178.19) is still loading from the previous campaign, this time pointing to webmovies-b.com/movie/black/0/21/411/0/ (58.65.234.25), and of course, e.pepato.org/e/ads.php?b=3029 (58.65.238.59) :
Scanners Result: 2/32 (6.25%)JS.Feebs.rv; JS/Feebs.gen2 @ MM
File size: 16098 bytes MD5: 64bbd8ba8a0c9ce009d19f5b8c9d426e
SHA1: 1b313198ef140d2c74f36aa84c13afe9497865b6We also have vipasotka.com/in.php?adv=5032&val=43c46ed2 (119.42.149.22) loading and redirecting to golnanosat.com/in.php?adv=5058&val=e32a412f (119.42.149.22)
Scanners Result : Result: 11/32 (34.38%)File size: 61440 bytes
MD5: 5d83515199803e1fbcd3d2d8e0cd4ce5SHA1: 4c1f0eba4be895cf3b018e41fa7f13523424874d
07search.com
5m9h41.com
a666hosting.info
l6q7x6.com
nashepivo.com
nbb3g1.com
sraly.com
uvilo.com
vmksxo.com
credits-counselor.com
hx0k21.com
mob-shop.net
smart-search.net
For the time being, Google is actively filtering the results, in fact removing the cached pages on number of domains when I last checked, the practice makes it both difficult to assess how many and which sites are actually affected, and of course, undermining the SEO poisoning, as without it the input validation and injecting the IFRAMEs would have never been able to attract traffic at the first place.
The attack is now continuing, starting two weeks ago, the main IPs behind the IFRAMES are still active, new pieces of malware and rogue software is introduced hosting for which is still courtesy of the RBN, and we're definitely going to see many other sites with high page ranks targeted by a single massive SEO poisoning in a combination with IFRAME injections. Which site is next? Let's hope not yours, as if you don't take care of your web application vulnerabilities, someone else will.
Related posts:
More High Profile Sites IFRAME Injected
More CNET Sites Under IFRAME Attack
ZDNet Asia and TorrentReactor IFRAME-ed
Rogue RBN Software Pushed Through Blackhat SEO
Massive RealPlayer Exploit Embedded Attack
Another Massive Embedded Malware Attack
Yet Another Massive Embedded Malware Attack
Massive Blackhat SEO Targeting Blogspot
Massive Online Games Malware Attack
Press coverage:
Symantec's Internet Threat Meter
Major Web sites hit with growing Web attack
Audit Your Web Server Lately?
Hackers expand massive IFrame attack to prime sites
Major Web Sites Hit with Growing Web Attack
Major Sites Hit with IFRAME Injection Attacks
Researcher - IFRAME Redirect Attacks Escalate
An Update to the IFRAME SEO Poisoning
Massive Web Server Hack
Massive IFRAME Continues to Hit Top Sites
Attackers booby-trap searches at top Web sites
Several Major Websites Affected By Major Iframe Attack
Web Security Scanning Is Paramount
SEO poisoning attack hits big sites; Can the defenses scale?
Hackers step up search results attack
Tale of the IFRAME Continues
