News is
spreading fast,
appropriate credit is
given, but
not as fast
as the IFRAME
campaign targeting several more
CNET Networks' web properties besides
ZDNet Asia, namely,
TV.com,
News.com and
MySimon.com which I'll assess in this post. In the time of posting this, no other CNET sites are involved in the campaign, including ZDNet's international sites such as, ZDNet India, ZDNet U.K, and ZDNet Australia, but the abovementioned ones. And so, we have three more sites part of CNET Networks' portfolio, getting injected with more IFRAMEs,
abusing their search engine's local caching, and storing of any keyword feature, in a combination with a loadable IFRAME.
What has changed for the past 24 hours, despite that the now over
51,900 pages at zdnetasia.com continue to be indexed by search engines? The folks at ZDNet Asia have taken care of the IFRAME issue, so that such injection is no longer possible. However, the same IPs used in this IFRAME campaign, including two new domains introduced have been injected, and are loading at
TV.com, News.com and MySimon.com, again
pushing the rogue XP AntiVirus, the rogue Spyshredderscanner, as well as another fake codec
MediaTubeCodec.exe, hosted and distributed under two new domains.
Which sites are currently targeted?ZDNet Asia - currently has 51,900 injected pages
TV.com - 49,600 locally hosted IFRAME injected pages
News.com - 167 locally hosted pages, injection is ongoing
MySimon.com - currently 4 pages, the campaign is ongoing
Which domains and IPs are behind the IFRAMEs?do-t-h-e.com (69.50.167.166)
rx-pharmacy.cn (82.103.140.65)
m5b.info (124.217.253.6)
89.149.243.201
89.149.243.202
72.232.39.252
195.225.178.21
Where's the malware?It's there, you just have to triple check different IFRAME-ed search results and finally you'll get to install XP AntiVirus 2008 and a fake codec, the only two pieces of malware currently served. What's important to note is that this is the current state of the campaign, and with the huge number of IFRAME-ed pages in such a way, targeted attacks on a per keyword basis are possible, and since they ensure you're served on the basis of where you're coming from, things can change pretty fast. These are all of the domains that follow after the IFRAME redirects for all the campaigns currently detected, and the detection rates for the malware from the last campaign :
hotpornotube08.com (206.51.229.67)
hot-pornotube-2008.com (206.51.229.67)
hot-pornotube08.com (206.51.229.67)
adult-tubecodec2008.com (195.93.218.43)
adulttubecodec2008.com (195.93.218.43)
hot-tubecodec20.com (195.93.218.43)
media-tubecodec2008.com (195.93.218.43)
porn-tubecodec20.com (195.93.218.43)
scanner.spyshredderscanner.com (77.91.229.106)
xpantivirus2008.com (69.50.173.10)
xpantivirus.com (72.36.198.2)
bestsexworld.info (72.232.224.154)
requestedlinks.com (216.255.185.82)
MediaTubeCodec.com
Scanner results : 11% Scanner(4/36) found malware!
Time : 2008/03/06 16:38:39 (EET)
File Size : 85520 byte
MD5 : 25708e1168e0e5dae87851ec24c6e9f7
SHA1 : 33b502b13cab7a34bb959d363ae4b7afd23919a6
AVG - I-Worm/Nuwar.P
Fortinet - Suspicious
Prevx - TROJAN.DOWNLOADER.GEN
Quick Heal - Suspicious - DNAScan
Tries to connect to
websoftcodecdriver.com;
websoftcodecdriver2.com and
77.91.227.179, in between listening on local port 1034. The downloader tries to drop
Adware.Agent.BN - "
Adware.Agent.BN is an adware program that displays pop-up advertisements and adds a runkey to run at startup, and also modifies Windows system configuration in order to download more malwares on to infected computer." and
RogueAntiSpyware.AntiVirusPro - "
RogueAntiSpyware.AntiVirusPro is a Rogue Anti-Spyware product which comes bundled along with a malicious downloader. It is downloaded and installed without the users consent."
Spyshredderscanner.exe
Scanner results : 42% Scanner(15/36) found malware!
Time : 2008/03/06 17:02:23 (EET)
File Size : 33224 byte
MD5 : bc232dbd6b75cc020af1fcf7cee5f018
SHA1 : fc2f70fd9ce76fe2e1fe157c6d2d8ba015ad099f
Detected as : Win32.FraudTool.SpyShredder; Downloader.MisleadApp
Again opening local port 1034 and tries to connect to
69.50.168.51, ATRIVO = RBN's well known netblock.
Who's behind it?It's all a matter of perspective, if you look at the IPs used in the IFRAMEs, these are the front-end to rogue anti virus and anti spyware tools that were using RBN's infrastructure before it went dark, and continue using some of the new netblocks acquired by the RBN. However as
I've once pointed out
in respect to the
New Media Malware Gang and its connection with the RBN and Storm Worm, for the time being it's unclear which one of these is the operational department if any, of the RBN is vertically integrating to provide more than the hosting infrastructure, and diversify to malware, or spyware installation on a revenue-sharing basis participating in an affiliate program.
This malicious campaign will continue to be monitored, particularly the RBN connection, and whether or not they will start targeting CNET's other sites.
Continue reading →
More news coverage follows regarding the now fixed, injection of IFRAMEs at high page rank-ed sites owned by CNET Networks, in fact Symantec's Internet Threat Meter monitor for web activities rated it medium risk, and urged extra caution :
And since I've already established the RBN connection, it would be perhaps the perfect moment to demonstrate the abuse of input validation by injecting the Russian Business Network's Wikipedia entry in exactly the same fashion the malicious IFRAMEs were allowed to be injected at the first place. The bottom line - even with the input validation flaw accepting and loading the IFRAME, this attack wouldn't have been successful if it wasn't executed in a combination with the sites' keywords caching function.
RSS Feed