There’s no breathing easy when it comes to online security these days. As some several thousands of Web sites try to recover from being hacked via SQL injection barely two days ago, in comes another massive attack on more than half a million Web sites.
Advanced Threats Research Program Manager Ivan Macalintal found the malicious script JS_SMALL.QT injected into various Web sites believed to be either using poorly implemented phpBB, or are using older, exploitable versions of the said program. In the past, some of these compromised sites were found to have been riddled with “phake pharma” and porn comment spam, while others were seen to be previously defaced by underground hackers. Advanced Threats Researcher Alice Decker have seen infections relating to this malicious script as early as February this year.
This compromise is almost similar to the mass compromises that we’ve seen earlier — visiting a compromised site leads to a series of redirections, which eventually causes the downloading of malware. In this case, TROJ_ZLOB.CCW is on the tail-end. In true ZLOB fashion, this variant poses as a video codec installer:
Sure, this one is not at all tricky, since we’ve seen our share of ZLOB variants posing as video codecs before. However, consider that this specific variant tries to lure users into installing the codec by presenting itself as being necessary to view porn:
Who wouldn’t want free porn? Unfortunately users expecting explicit videos will instead get a slew of Trojans detected as the following:
These types of Trojans are known for changing an affected system’s local DNS and Internet browser settings, thus making the system vulnerable for even more potential threats.
Trend Micro Web Threat Protection already prevents access to the malicious URLs. And as always, users are advised to display extra caution when browsing Web sites, and ensure their security software is up to date.
Our researchers are continuing to investigate this case. We will be posting updates on this compromise as more information becomes available.
Consolidated findings of the Advanced Threats Research, Escalation, and Threat Respone teams at TrendLabs