Yet Another Thai Site Compromised by EU Malware Authors

March 9th, 2008 by Joseph Pacamarra (Threats Analyst)

Thai site

Research Project Manager Ivan Macalintal reported a few hours ago that another Thailand-based Web hosting site appears to have been compromised to serve malware.

APAC-Regional TrendLabs Team immediately probed and analyzed the attack layout for the ill-fated www.ictbannok.com and we identified a tricky injection, which was prematurely implemented.

Based on our analysis, the main site is just about to be heavily laden with scripts when it was first reported. Going further, since it looks like a dead end when we tried a different avenue and since the main page itself is just like a site with a script gone bad, we found this:

|
http://www.ictbannok.com /*
(Cloaking with a 404 error still heavily laden with an encrypted script which lead to)
|
hxxp://www.ictbannok.com.96fad701b73f1f53.2traff.cn/traff2.cn/
|
Host Location Estiona
|
Host Location European Union
[Russian Federation]
|
The following malicious files are set to drop at this point namely
Troj_SHEUR.DZJ and TROJ_INJECT.IS
|
Host Location Ukraine
|
TSPY_LDPINCH.JR

These tiers were brought down 20 minutes or less after the probing was done. Too late for the authors of the attack, their tracks were traced back pinpointing the actual file that they were hoping to implement using Obfuscation and iFrame as a drop-off point.

With coordinated effort from APAC-RTL spearheaded by Oscar R., Trend Micro Thailand Office by Wan K. and Kitisak J. of ThaiCert – the ictbannok.com site administrator was advised about the incident and had the site cleaned in no time. Now it’s back to its regular business.

Trend Micro already detects these files since the release of malware control patch number 5.144.05 using scan engine 8.5001002 or later.