Massive iFrame attacks on top Web sites still threaten online searches. The threat is not just continuing but, according to independent Internet security researcher Dancho Danchev, is getting bigger as well.

Trend Micro has recently reported two high-traffic sites that were iFramed earlier this month. The said attack relied on popular search terms that were not validated in search engines. Interestingly, this previous attack came less than a week after search results of popular Web sites ZDNet Asia and TorrentReactor were also found to have been iFramed.

Danchev says that the current poisoning also leads users to several redirection posts. He again lists what he believes are poisoned sites. These include the following:

• USAToday.com
• ABCNews.com
• News.com
• Target.com
• Packard Bell.com
• Walmart.com
• Rediff.com
• MiamiHerald.com
• Bloomingdales.com
• PatentStorm.us
• WebShots.com
• Sears.com
• Forbes.com

Trend Micro Threat Response engineers analyzed the said pages and found no traces of an ongoing compromise. The sites may have been already fixed by the time of our engineers’ verification. However, the threat in general continues to persist, as it would be very possible to encounter iFrame injections in some future time. Security researchers have yet to close in on a foolproof way to lock down a site from being compromised.

The Mac world is shaken. IDG News Service’s Robert McMillan reports that Charlie Miller and two other security researchers from Independent Security Evaluators have hacked the wickedly slim Apple MacBook Air in a fleeting two minutes and walked away with $10,000 cash prize, the gorgeous laptop, and tons of bragging rights in CanSecWest PWN to OWN 2008 contest held in Vancouver. Miller’s earlier claim to fame was in being one of the researchers who first hacked the iPhone last year. That must make him Apple’s most favorite person in the whole world!

This contest, other than giving hackers an opportunity to win big money, aims to present new vulnerabilities in certain systems so that the affected vendors can address them. Open for attack were a Sony VAIO VGN-TZ37CN running Ubuntu 7.10, a Fujitsu U810 running Vista Ultimate SP1, and as mentioned, a MacBook Air running OSX 10.5.2. As of this writing, the VAIO and Fujitsu are still standing strong.

Miller’s team was able to expose MacBook Air’s vulnerability by “tricking” the judges into visiting a Web site where they have already set up an attack code. According to the sponsor’s Web site TippingPoint DVLabs blog, a newly discovered vulnerability in Safari, the browser that comes pre-installed in Air, was used to gain control of the system. Understandably, the more detailed method cannot be made public as previously agreed in a contract signed by the contestants.

The BBC reports that there had been a massive spam attack against China’s mobile users, affecting more than 200 million China Mobile and China Unicom subscribers. Almost half of China’s mobile phone user population received unwanted text messages from seven online advertising firms, one of which included NASDAQ-listed Focus Media, according to the Xinhua news agency.

China’s State Council stated that it is thoroughly investigating the said incident. “We urge parties concerned to beef up self-scrutiny to correct their wrongdoing, which is profit-seeking in defiance of public interests,” Liu Yue, deputy head of the State Council’s Office for Rectifying Malpractice, said in a report posted on the Web site of the State Council.

This incident sparked anger from target consumers and the Chinese government, and has drawn apologies from the said major advertiser and the country’s biggest mobile phone carrier, China Mobile. Both cell phone carriers have set up support hotlines to address consumer complaints. The Chinese government and companies, on the other hand, say they are working to standardize regulations on identifying and blocking online and text spam messages.

Virus Coordinator for Trend Micro Latin America Jose Lopez Tello recently discovered a very interesting malware attack that seems to be (at first blush) related to the previous Banamex phishing e-mails reported last January and earlier this month.

Similar to the past attacks, this malware aims to steal money by targeting customers of Banamex, the largest e-Bank in Mexico.

However, instead of using the DNS poisoning method as the past attacks, this malware uses a script to change the user’s DNS settings, and also installs a botnet client that is hosted at an IRC server in a U.S. hosting provider.

Based on Tello’s analysis, the infection chain is usually initiated by a fake greeting eCard that a user receives via email. This eCard contains a link, which when clicked downloads the malicious file Gusanito.exe.

Trend Micro detects this file as BKDR_VBBOT.AE. The difference between this new attack and the previous attacks is that, this time around, the malicious downloaded executable does not poison the user’s HOSTS file or the local router’s DNS table. Instead, it changes the DNS from the affected user’s computer using the following simple script:


dns name= source=static addr=[IP address] register=PRIMARY


Thus, when the user attempts to access www.banamex.com, he is redirected to a phishing Web site (which is actually located at the same fake DNS server).

The Botnet client code (BKDR_VBBOT.AE) also opens an IRC connection to the yet another, different US-based host and channel to wait for commands from its botmaster, which is intended actually to send more of the same, original, bogus eCard greeting emails.

As of this writing, there are over ~650 bots already connected to the this botnet C&C (Command & Control Server) and are most probably sending out tons of fake greeting eCards at this very moment. “In fact, you can see all the list emails that will be targeted,” says Tello.

The malicious link has already been submitted to Trend Micro Content Security team for processing and blocking. The appropriate law enforcement and content providers have also been alerted to this.

(Thanks to Paul Ferguson for additional technical background.)

-Update: March 29, 2008-

BKDR_VBBOT.AE was renamed to WORM_KELVIR.EI.

Just recently, Trend Micro discovered an FTP server in Uruguay that hosts a phishing Web site that targets Telecom Italia Mobile (TIM) customers, one of the largest mobile phone companies in Brazil.

The server’s IP address indicates that it may be affiliated with Russian or Ukrainian cyber criminals who have previously been affiliated with RBN, or the Russian Business Network. RBN was made notorious for it’s “bullet-proof” hosting facilities which have been linked to illegal activities such as child pornography, phishing, spam, and malware distribution.

Using an INDEX.HTML file, this phishing site has an ActiveX control that invites a user to view a video message purportedly from TIM Brazil. When accessed, it attempts to insert a malicious code on the client system and then send phishing messages to the affected user. This file changes daily and points to a new false URL that is sent via email to all those who fell victim to the fraudulent Web site.

Phishing is a technique used to trick users into divulging personal information (such as social security numbers, ATM PIN, and credit card numbers) through email or dubious Web sites. Perpetrators trick gullible users to send them private or personal information. To do this, they forge the Web site or an email of a legitimate company. These Web sites or email messages usually ask for information about the recipient. Alterations on the code of these bogus Web pages or email messages result in the information being redirected to the cyber criminals. When the user is tricked into divulging information, we say that (s)he has become a victim of a “phishing attack.”

The activeX is already detected by Trend Micro as POSSIBLE_MLWR- 1. The malicious URL, which hides the source of the downloadable file through an obfuscated code script and resolves to downloading a Banker Trojan downloader, win.exe, from a host located in Brazil which is already blocked by our URL filtering services.