Daily cyber threats and internet security news: network security, online safety and latest security alerts
July 3rd, 2009 Infected With Gumblar Malware, Users Redirected From Language Option Page

Earlier today, Trend Micro Technical Account Manager Fioravante Souza in Brazil spotted a (potentially harmful) URL that redirects users from the Best Buy domain site. Users who visit, as it turns out, are redirected to the URL, http://pics.
hardcore/?23c4f60c1b9f604d6ffb21cba599301f (do not visit). The compromised page in the domain is found to be the landing page where visitors can choose the language to be used as they browse within the site. Threat Research Manager, Ivan Macalintal, further identifies that a GEO-IP check happens prior to displaying the said landing page.

“If (the) requesting IP is from the Latin America Region (LAR), users are redirected to the ‘Choose English or Spanish’ page—and then bingo!” Macalintal says.

The source code of the landing page shows a garbled set of code found at the bottom of the script, a clear sign of code obfuscation. Beneath a 3-layer obfuscation, an iframe redirects the user to a Luckysploit-laden site. The Luckysploit web exploit kit and the obfuscation seen is reminiscent of that found in Gumblar.

The WHOIS info of the .CN site states that it has been created just last June 4, 2009 by the same old criminals. Further investigation shows that the first .CN site is actually located in Germany and is used by attackers in Ukraine. Suffice it to say, the Russkranians are the culprits once again.

Best Buy has been informed of the said URL redirections and is resolving the matter.

Credit: TrendLabs/Trend Micro

Share this item with others:

More on CyberInsecure:
  • Adware Back-door In Firefox Language Pack
  • Gumblar Google-poisoning Attack Picks Up Speed, 246% Growth Over Last Week
  • Web Infection Manipulates Google Search Results And Builds A Botnet
  • Google Adds User Enabled HTTPS Secure Connections Into GMail
  • Mass Web Infections Spike To 6 Million Pages In 640,000 Sites

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Infected With Gumblar Malware, Users Redirected From Language Option Page

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.