We’ve seen malicious URLs ending in r.html, main.html, news.html, and about.html being spammed over the past several days. Now it’s changing to start.html and begin.html.
Visiting these start.html and begin.html Web sites redirects the browser to a site where WATCH.EXE is downloaded. From what I’ve seen so far, these sites are pushing the same binary. Trend Micro now detects it as TROJ_AGENT.AYZO.
What’s worrying about these *.html spam runs over the past several days is the increasing incidence of compromised Web sites used to host malicious content on a massive scale. These *.html pages and the .EXE payloads are all hosted on legitimate Web sites. It seems that malware distributors no longer have to register/buy domains and Web hosting services when they have this huge number of compromised Web sites to host their malware.
Shortly after this entry was posted, I was contacted by one Web hosting company’s network architect, who said that two of their customers’ Web sites were compromised and the files described in the blog post were found in the said site. He said that the hackers were able to use the right FTP user name and password, and there was no evidence of a brute force attempt. What’s left to consider is that the machine (or network) that the said customer is using to manage the Web site is infected, and has some sort of keylogging/sniffing malware (especially for FTP passwords).
This was the first clue I got regarding this proliferation of compromised Web sites. It is known that FTP accounts are traded in underground forums, and there exist tools to automate file uploads with the right FTP credentials (FTP-Toolz comes to mind). It forms a really neat malware ecosystem.
Updates as of 22 July 2008, 11:00 AM PST
Trend Micro Escalation Engineer Edgardo Diaz also found a number of URLs, but this time ends with viewmovie.html, cennib.html and hot.html. Viewmovie.html redirects the user to a Web site that downloads codecinst.exe. Our engineers are currently analyzing the possibly malicious file. Meanwhile, the said malicious URLs are blocked to protect users from being infected.
Updates as of 26 July 2008, 10:23 AM PST
During the past few days the Advanced Threats Research team has found other malicious .HTMLs: live.html (which redirects browsers to install_flash_player_update.exe, which Trend now detects as TROJ_RENOS.ADF) and just recently, topnews.html.