Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    November 2014
    S M T W T F S
    « Oct    
     1
    2345678
    9101112131415
    16171819202122
    23242526272829
    30  
  • About Us

    Late last week, Trend Micro Senior Threat Researcher Paul Ferguson reported a Web site compromised by a malicious JavaScript that links users to a known Graphical Device Interface (GDI) exploit.

    You may recall that this critical exploit gives the remote user complete control over vulnerable systems once a specially crafted .EMF or .WMF image file is executed. The compromised site is the official Web site of the Tibetan government in exile.

    Visitors to that site would unwittingly download an embedded malicious JavaScript:

      http://www.tibet.com/{BLOCKED}/tibet.js

    A closer look at the script reveals that it refers to the following sites containing iFrame tags pointing to malware files and the GDI exploit:

    • http://ad.{BLOCKED}.googlepages.com/ad02.jpg – the GDI/WMF exploit file, which Trend Micro detects as HTML_EXP.AZ
    • http://ad.{BLOCKED}.googlepages.com/rm03.html – the obfuscated JS file, which is detected as HTML_EXP.AA
    • http://ad.{BLOCKED}.googlepages.com/142.htm – the obfuscated Visual basic (VB) script, which is detected as as VBS_VBSWGBASE.BH

    Trend Micro detects the JS file, tibet.js, as HTML_IFRAME.OB.

    Obviously, cyber criminals are still finding issues concerning Tibet, China, and the Olympics to be hot. TrendLabs has documented a couple of such occurences here and here.

    One may take this as just another case of one party going head-to-head with an opposing party using malware. It is easy to point to hacktivists with political agendas, with the news of Chinese hackers supposedly launching a distributed Denial-of-Service attack surfaced during the weekend. The attack was in protest against a CNN coverage that was deemed “pro-Tibet,” but the said attack never transpired. Anti-CNN.com, a Chinese Web site created solely for the purpose of exposing the Western news company’s “biases,” urged street protests in European countries.

    Though no proof was established regarding the connection between the anti-CNN movement and the supposed hacking incident, a team who had been investigating Chinese hackers believed that the online attacks should supposedly go hand-in-hand with the street protests. Think of it as a synchronized protest in the real and digital worlds. CNN has already released a statement regarding their Tibet coverage.

    Chinese hackers did, however, manage to disrupt the SportsNetwork Web site, as reported here on TechCrunch.

    Keep patches up to date to protect your systems from being exploited. At the same time, Trend Micro implores users to regularly update pattern files for improved system protection. Note that all related malicious Web sites are already blocked by the Content Security Team.





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon






     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice