Adobe Redirects Surfers To Malware Installing Malicious Sites
SophosLabs discovered during last week that Adobe is hosting a web page that redirects unsuspecting visitors to websites that attempt to install malware on vulnerable machines. The company was informed of the problem on Friday, but six days later, it still hasn’t been fixed.
The infection, which resides at www.seriousmagic.com/help/tuts/tutorials.cfm?p=1, instructs users browsers to silently install a malicious file from a series of domains known to host attack sites. Adobe announced its acquisition of Serious Magic two years ago and whois records indicate the company is the owner of the seriousmagic.com domain:
seriousmagic.com
66.240.157.68
Adobe Systems Incorporated
345 Park Avenue
San Jose, CA 95110
USAdmin, DNS [email protected]
345 Park Avenue
San Jose, CA 95110
US
+1.4085366000ADOBE-DNS.ADOBE.COM
ADOBE-DNS-3.ADOBE.COM
ADOBE-DNS-2.ADOBE.COM
Adobe was notified of the infected page on Friday. Currintly the link is still trying to redirect users to a series of malicious sites including abc.verynx.cn/w.js and 1.verynx.cn/w.js. While those links no longer appeared to be active, two other sites used in the attack, jjmaobuduo.3322.org/csrss/w.js and www2.s800qn.cn/csrss/new.htm, were still active. Do NOT visit those links as they might infect your computer.
The sites are associated with malware that spreads by infecting legitimate sites using SQL injections. Such attacks take advantage of web developers who write SQL database applications that accept user-supplied data without inspecting it for malicious characters. They work across a broad array of web applications.
With Fortune 1000 companies such as Adobe punting malicious links, it’s no wonder security experts estimate that more than half of the websites hosting malware were legitimate destinations that had been hacked. Sensitive government websites on both sides of the Atlantic have also been commandeered over the past year.
Sophos has been trying to contact Adobe since Friday to advise them of the problem, and as yet have had no response.
More on CyberInsecure:
October 17th, 2008 at 8:03 am
I notified NetIQ about a similar problem on their website at this address: https://www.netiq.com/f/form/form.asp?id=2204
It attempts to install malware from http://www.killpp.cn. As of right now, this malicious link is still active on that page.
October 30th, 2008 at 1:13 am
Protect your computer.
If you are like me then you have probably tired many different types of scans to try and protect your computer. There are many different options available but I have found that most of them pick up the same bugs whether you pay for the scan or download a free version. Search-and-destroy (http://www.search-and-destroy.com) is one of the best that I have found so far and it cost less than many of the other well-known scans on the market today. If you are searching for a good scan I suggest that you check out the antispyware solution from Search-and-destroy.