The purpose of embassies as a diplomatic channel is continuously being tainted by cybercriminals. Initially reported by researcher Dancho Danchev in his blog, the Indian Embassy in Spain was found serving malware through an injected malicious iFrame.
The said malicious injected iFrame leads to a file detected by Trend Micro as BKDR_TDSS.CG. Trend Micro researchers are currently analyzing file to identify its routines.
Investigations by Trend Micro researchers also reveal that aside from the malicious iFrame, a different and large amount of code was also inserted into the website of the said embassy. Numerous <div> tags were found in the site, with headers containing links to various websites. The said headers are hidden from unknowing visitors, though, since the code is set where the size of the header is too small to be visible.
Figure 1. Screenshot of code found inserted into the Indian Embassy website
Further analysis also suggests that the Indian Embassy website isn’t the only one injected with the codes, pointing to the possibility of a massive and global code injection attack. The set of injected codes was also reported to change from time to time.
Trend Micro Advanced Threats Analyst Ryan Flores also revealed that there is inserted code in the compromised websites that injects pages that look like blog entries into the compromised sites’ domain. The inserted pages contain various pharma information. Flores then states that this is possibly an SEO poisoning scheme, or a plot to use the legitimate domains of the compromised websites to evade spam filters.
Figure 2. Inserted pharma blog entries in one of the compromised websites
Though no trace of malware was found in the other links, Trend Micro Antivirus Engineer Edgardo Diaz, Jr. suggests that this is possibly an advertisement scam or a massive malware attack in its early stage. This would also explain why parts of this threat do not appear to be fully functional. He warns, though, that since the website is already compromised, it’s just a matter of modifying the tags to turn the seemingly “non-malicious” injection of code into a full-blown malware attack.
Updated 5:49 PM: BKDR_TDSS.CG drops a rootkit that is then injected into SVCHOST.EXE. While injected, the rootkit attempts to connect to several websites to send and receive information.
Updated February 1, 2009: At this time, BKDR_TDSS.CG is also downloading an encrypted configuration file. Once decrypted, this file appears to contain commands to download other dll files and an updated copy of TDSSserv.sys, load certain modules from the dll files, upload log files (which contain error logs, process lists, and OS details), display popup ads, prevent security software from running, and set command delays. While the content of the files from the download URLs are not the same every time, this backdoor does keep accessing from the list of URLs even after completing its routine–so it may eventually get to access all URLs (except of course the currently inaccessible ones) it needs to achieve all mentioned functionalities.