Whoa is my Jets, but not only the team, but one of their fansites, and several other unrelated Web sites, too.
It leads to a redirect in Estonia, which in turn leads to an exploit server in New York.Go figure.
Here is yet another example of criminals taking advantage of, and compromising popular Web sites to further their criminal activities.
There are several Web sites that we have detected which have the exact same embedded iFrame(s) that may surreptitiously download malware to a vulnerable computer, but this one stood out above all others — due to my devotion to the New York Jets, of course.
Ironically, they’re located in the United States, too.
A “new” server-side malware toolkit has surfaced called “FirePack”, which is a play on the wording of previous malware-service toolkits (e.g. MPack, IcePack).
And yes, they actively exploit unwary visitors — or rather, surreptitiously “piped” malicious content via iFrame.
We’ll post more on FirePack later, but in the meantime, we’re taking measures to secure our customers against these threats.
In the meantime, don’t visit newyorkfanatic(dot)com.
More later — watch this space.
Updated: 4 January 2008, 19:30 PST
As promised, we’d like to provide a little more information on this nastiness.
Here’s a basic rundown of the infection chain, as depicted in the image above.
The FirePack kit also hosts a lot of exploits — which include targeting specific vulnerabilities, to include (but not limited to):
– Vulnerability in Microsoft XML Core Services Allows Remote Code Execution (MS06-071)
– Yahoo Webcam vulnerability
– Microsoft Internet Explorer CreateTextRange Remote Code Execution Vulnerability (MS06-13)
– Windows Media Player Plug-In EMBED Overflow Universal Exploit (MS06-006)
– Vulnerability in Vector Markup Language Could Allow Remote Code Execution (MS07-004)
– Also, an Opera 0day 9.0-9.2 vulnerability released in October 2007!
If any of the FirePack vulnerabilities are found, this leads to vulnerable users having some very nasty malware downloaded (and executed) to their systems. This malware creates one of the infamous NTOS.exe or WSNPOEM variants in the infected system — and their purpose is but for one reason, and one reason only: information theft.
The most important note here is one I like to make when the occasion presents itself, and that is why we (Trend Micro) have stepped up our efforts and focus on Web Threat Protection (WTP).
At the time of initial exploit, some of this new malware can be completely undetectable — and of course, the time-to-implement new detection on the malware itself can be anywhere from hours to days. With our WTP efforts, we can quickly identify threats in The Internet, classify them, and integrate them into our WTP databases, so that our customers are alerted that a Web site they might be surfing is dangerous.
Let’s be careful out there!
Paul “Fergie” Ferguson and Ivan Macalintal
Network Security Intelligence
Advanced Threats Research