Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    May 2012
    S M T W T F S
    « Apr    
     12345
    6789101112
    13141516171819
    20212223242526
    2728293031  
    • About Us
    Malware Blog > Web Threat Enters the “Final Frontier”

    Science Fiction becomes Web Threat Reality!

    TrendLabs received reports of a scifi book review site that has been compromised to contain an IFRAME tag that redirects users to a site with a chock-full of baddies. Trend Micro already detects the malicious HTML script within this site as HTML_IFRAME.HD.

    HTML_IFRAME-HD.gif

    The Web site that the IFRAME redirects the users to has the usual 404 launchpad leading to 9 more IFRAME installs, as follows:


    <iframe src=http://extracare.trendmicro-europe.com/tm/core/global/images/diary/1d07e30e9014f5a647246d5fccde5369_n1404-1.htm width=1 height=1></iframe>

    :

    :

    <iframe src=http://extracare.trendmicro-europe.com/tm/core/global/images/diary/1d07e30e9014f5a647246d5fccde5369_n1404-9.htm width=1 height=1></iframe>



    This is evidently the doing of the 404 Web Threat Kit, pretty much in the line of MPACK, Icepack, a.s.o. The new thing about this code is that it is now using the string n1404-x as the format of further IFRAME downloads instead of the usual n404-x probably with the motive of bypassing filters that detect previous 404 attacks (see The 404 Story and More Russian Uprising). It is also notable that the 2 main parts of the obfuscated JavaScript found in the 404 pages are now divided into segments, unlike before.

    Just like the old 404 kit, it also installs its own VERS.PHP, which Trend Micro detects as TROJ_DELF.KEL. This file then downloads various other trojans, downloaders and spyware programs which include but are not limited to the following:


    • TROJ_SMALL.HIR
    • TROJ_XORPIX.CD
    • TROJ_SPAMBOT.B
    • TROJ_AGENT.WNQ
    • TROJ_XPACK.CV
    • JS_PSYME.AUE
    • TROJ_AGENT.ZRQ
    • TROJ_SMALL.ILF
    • TROJ_ADLOAD.VM
    • TROJ_AGENT.ZSG
    • TROJ_BHO.MY
    • TSPY_LDPINCH.AZS
    • TSPY_AGENT.AAWC




    This is just a partial list of the files the whole threat downloads. Far from being in the final frontier of this web threat, there are indeed more files that are maliciously installed. Ultimately, however, all these malicious binaries and scripts conspire to Download, Install, and Execute an information stealer in the affected systems. Stolen information will then be used for further nefarious deeds. And all these just for simply visiting one website.

    Never fear though. TrendLabs is continuously monitoring these kinds of Web sites to ensure that customers will be protected from these threats.

    Data provided by Trend Senior Threat Researcher Ivan Macalintal.





    Share this article
    		 Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon



    This entry was posted on Saturday, September 15th, 2007 at 2:57 am and is filed under Uncategorized . Both comments and pings are currently closed.



    Comments are closed.



     

    Other Trend Micro blogs
    CTO Insights
    CounterMeasures Blog
    Cloud Security Blog
    Consumerization Blog
    Fearless Web
    Internet Safety for Kids & Families
    Simply Security News
    Trend Micro Blog [German]
    TrendLabs Security Blog [Japan]
    Cloud Security APAC
    Trend Micro Free Tools Threat Encyclopedia Trend Micro Videos
    Do you have a product-related question? Visit our eSupport website.

    © Copyright 2011 Trend Micro Inc. All rights reserved. Legal Notice