Daily cyber threats and internet security news: network security, online safety and latest security alerts
March 6th, 2008

CNET Sites Under IFRAME Attack

IFRAME campaign targeting several more CNET Networks web properties besides ZDNet Asia, namely,, and In the time of posting this, no other CNET sites are involved in the campaign, including ZDNet’s international sites such as, ZDNet India, ZDNet U.K, and ZDNet Australia, but the abovementioned ones. Three more sites part of CNET Networks’ portfolio, getting injected with more IFRAMEs, abusing their search engine’s local caching, and storing of any keyword feature, in a combination with a loadable IFRAME. Over 51,900 pages at continue to be indexed by search engines. ZDNet Asia have taken care of the IFRAME issue, so that such injection is no longer possible. However, the same IPs used in this IFRAME campaign, including two new domains introduced have been injected, and are loading at, and, again pushing the fake “XP AntiVirus”, “Spyshredderscanner” and another fake codec called “MediaTubeCodec.exe”, hosted and distributed under two new domains.

Sites that are currently targeted:
ZDNet Asia – currently has around 52,000 injected pages. – 51,000 locally hosted IFRAME injected pages. – 167 locally hosted pages, injection is ongoing. – currently around 10 pages, the campaign is ongoing.

Domains and IPs that are behind the IFRAMEs: ( ( (

Malware hosts: ( ( ( ( ( ( ( ( ( ( ( ( (

Only two pieces of malware currently served, XP AntiVirus 2008 and a fake codec.
What’s important to note is that this is the current state of the campaign, and with the huge number of IFRAME-ed pages in such a way, targeted attacks on a per keyword basis are possible, and since they ensure you’re served on the basis of where you’re coming from, things might change pretty fast. These domains above are the ones that follow after IFRAME redirects for all the campaigns currently detected.

Malware files: – 11% Scanners (4/36) found malware at 2008/03/06 16:38:39 (EET). File Size : 85520 byte, MD5 : 25708e1168e0e5dae87851ec24c6e9f7, SHA1 : 33b502b13cab7a34bb959d363ae4b7afd23919a6. Detected as:
AVG – I-Worm/Nuwar.P
Fortinet – Suspicious
Quick Heal – Suspicious – DNAScan tries to connect to; and, in between listening on local port 1034. The downloader tries to drop Adware.Agent.BN – “Adware.Agent.BN is an adware program that displays pop-up advertisements and adds a runkey to run at startup, and also modifies Windows system configuration in order to download more malwares on to infected computer.” and RogueAntiSpyware.AntiVirusPro – “RogueAntiSpyware.AntiVirusPro is a Rogue Anti-Spyware product which comes bundled along with a malicious downloader. It is downloaded and installed without the users consent.”

Spyshredderscanner.exe – 42% Scanner(15/36) found malware at 2008/03/06 17:02:23 (EET). File Size : 33224 byte, MD5 : bc232dbd6b75cc020af1fcf7cee5f018, SHA1 : fc2f70fd9ce76fe2e1fe157c6d2d8ba015ad099f, detected as Win32.FraudTool.SpyShredder and Downloader.MisleadApp.
Opening local port 1034 and tries to connect to, ATRIVO = RBN’s well known netblock.

Share this item with others:

More on CyberInsecure:
  • Malicious Javascript Code In Another CNET Networks Website
  • Software Offered By CNET Bundled With Trojans, Spread Through
  • Subdomain Compromised, Installing Malware On Visitors PC’s
  • Significant Number Of WordPress Websites Compromised, IFrame Used For Affiliate Scheme
  • Massive IFRAME Search Results Attack

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: CNET Sites Under IFRAME Attack

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.