Udiya Northern Thailand Tours Site Feels the PINCH

February 1st, 2008 by Joseph Pacamarra (Threats Analyst)

Research Project Manager Ivan Macalintal discovered a few hours ago that a Thailand-based tourism and travel site appears to have been compromised to serve malware. This discovery follows closely on the heels of the Thai Royal Air Force site compromise just a week ago.

Looking at the season, summer holidays are coming up soon in Asia and Bangkok is a strong contender for being the most popular Asian tourist spot. Malware authors may therefore be counting on this to drive traffic to the hacked site.

Clicking the link on the landing page of the Udiya Tour of Northern Thailand Web site redirects the user’s browser to a certain URL, which also redirects to yet another URL that contains multiple browser exploits ultimately leading to the download of a file named UPDATE.EXE. The said file is a variant of the LDPINCH family, which is known for their information theft routines.

Upon analysis, it was found that several of the pages from the same site have been compromised, including the site’s contact, reservation and package details pages. Macalintal describes the said pages as “full of highly-obfuscated JavaScript badness, injected and scattered all over, just before and after the HTML, some META and TITLE tags.”

Trend Micro users with updated patches are protected from this threat. We already detect this malware as TSPY_LDPINCH.FE using pattern file number 4.974.05.

Thanks to Network Architect Paul Ferguson for contacting ThaiCERT about this site compromise.