Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    Aside from Gumblar, another incident of mass compromised web sites have been seen in the wild lately, and has raised as much concern as the former. This one starts with the same technique: a malicious IFRAME unknowingly embedded in a legitimate website, injected via JavaScript. The said IFRAME redirects to another IFRAME, which in turn executes obfuscated JavaScript code.

    Once decoded, it tries to connect to URLs to download exploits for several vulnerabilites in order to gain access of the affected user’s system. The obfuscated malicious JavaScript is detected as JS_DROPPER.LOK while the URLs that trigger the download of the exploits are detected as TROJ_SHELLCOD.HT. Upon successful exploitation, other malicious files are then downloaded, which Trend Micro detects as TROJ_MEDPINCH.B, and TROJ_MEDPINCH.A.

    TROJ_MEDPINCH.B connects to other URLs to download info-stealers SPYW_IEWATCHER and TSPY_LDPINCH.CBS. On the other hand, TROJ_MEDPINCH.A drops yet another info-stealer: TSPY_LDPINCH.ASG. TSPY_LDPINCH.ASG steals user names, passwords, and other account and installation information of the following applications:

    • INETCOMM Server
    • Microsoft Outlook
    • Mirabilis ICQ
    • Opera Software
    • The Bat!
    • Total Commander
    • Trillian

    Though this compromise occurs within close proximity days after Gumblar’s last attack, no mention of the Gumblar.{BLOCKED} domain appears in the code. This attack may indeed be a separate one from Gumblar, or possibly be inspired by it. Related URLs are already blocked by the Smart Protection Network, but it is highly advised that user’s patch their system to minimize the chances of exploit through the following updates:

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice