Malware Enter The Hives

March 11th, 2008 by Mayee Corpin (Technical Communications)

TrendLabs has gotten word that the official Web site of Swedish rock band The Hives, hxxp:// thehivesbroadcastingservice.com, got hacked. This attack coincides with the US leg of the band’s ongoing tour before they move on to the UK next month. The compromised site incidentally provides tour dates.

An iFrame was found to be inserted into the page, pointing to another page that redirects to hxxp://coripastares.com/in.php?adv=321&val=b81267. This URL hosts a malicious JavaScript detected as JS_PSYME.FE, which then tries to install TROJ_DROPPER.ALS.

TrendLabs anti-malware engineers have downloaded the HTML file where the malicious iFrame was inserted. This HTML file with the malicious iFrame is now detected as HTML_IFRAME.JF.

Trend Micro also now detects the file downloaded from the URL hxxp://coripastares.com/adw_files/100/da41bcd6/install.exe as TROJ_SMALL.AYR, which installs a host of other malware detected as TROJ_RENOS.LA, TROJ_AGENT.AEUM, and TROJ_WANTVI.E.

As if those malicious scripts and Trojans were not enough, this malware also downloads an adware detected as ADW_REANIMATOR from the following site:

• hxxp://www.winreanimator.com/inst/1017/74c321f6c3d70a510c6436c9b79f8090/9/Installer2.exe

By virtue of their popularity, music bands are almost a given as effective tools for social engineering. As has been seen last November, pianist and singer Alicia Keys’ MySpace Web page was compromised; a background image was injected into it and redirected to malicious sites supposedly located in China. Users were then prompted to download a fake video codec — actually a ZLOB Trojan.

Trend Micro strongly encourages you to update your pattern files regularly. It will protect you from the latest as well as old malware threats.

Image courtesy of im-glowing.blogspot.com

Note from Paul Ferguson, Advanced Threats Research: We love The Hives. We just hate malware & cyber criminals.

(4 votes, average: 3.75 out of 5)

 Loading ...