Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    August 2014
    S M T W T F S
    « Jul    
     12
    3456789
    10111213141516
    17181920212223
    24252627282930
    31  
  • About Us

    Trend Micro Research Project Manager Ivan Macalintal alerted TrendLabs about another string of Web site compromises, this time related to Web sites of various affiliations and also different countries. Affected sites include that of the Israel Humanitarian Foundation, the London-based Child Rights Information Network, the UK’s West Midlands Local Government Association, and AsiaObserver (a news portal to the continent).

    This discovery comes on the tail of the mass compromise of APAC sites (China, Taiwan, Hong Kong, and Singapore). Curious is how some of the malicious URLs in this new set of compromises are the same as in the first mass compromise.

    The four sites — humanitarian, government, and news — were injected with the malicious JavaScript hxxp://www.{BLOCKED}igm.com/m.js, which is detected as JS_IFRAME.VA (as seen in the screenshot above). Once any of these four sites are accessed, the script then redirects to two sites:

    • http://{BLOCKED}and.cn/bao/p60.htm – detected as JS_REALPLAY.CU
    • http://www.{BLOCKED}igm.com/index.htm – detected as HTML_IFRAME.VA

    JS_REALPLAY.CU then leads to http://{BLOCKED}and.cn/14.htm, which is detected as VBS_SHELLCOD.EN. This script in turn leads to the following:

    • http://{BLOCKED}and.cn/14.htm – JS_SHELLCOD.EL
    • http://{BLOCKED}and.cn/real11.htm – JS_VEEMYFULL.AA
    • http://{BLOCKED}and.cn/lz.htm – JS_DLOADER.AP
    • http://{BLOCKED}and.cn/bfyy.htm – and JS_DLOADER.GXS

    All these four then lead to the download and execution of http://{BLOCKED}gol.com/xx.exe, which is detected as BKDR_HUPIGON.CFV.

    HTML_IFRAME.VA, meanwhile, leads to the following:

    • http://www.{BLOCKED}igm.com/14.htm – detected as JS_SHELLCOD.EL
    • http://www.{BLOCKED}igm.com/real.htm – detected as JS_SHELLCOD.EM
    • http://www.{BLOCKED}igm.com/04.htm – detected as JS_DLOADER.WBO

    These three all lead to the download and execution of http://www.{BLOCKED}igm.com/bak.exe, which is detected as TROJ_AGENT.AAPK.

    Trend Micro Advanced Threats Researcher Paul Ferguson has already contacted the responsible orgranizations and relevant CERTs/CSIRTs covering the affected areas. Note that this practice is mostly a matter of courtesy to the owners of the affected sites so that unsuspecting users are protected from infection when visiting these sites. But as always, Web site administrators are ultimately responsible for the browsing security of the users who visit their sites.

    Updated by Mayee Corpin (Technical Communications)





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon




    Comments are closed.



     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice