CyberInsecure.com

CNET Sites Under IFRAME Attack

IFRAME campaign targeting several more CNET Networks web properties besides ZDNet Asia, namely, TV.com, News.com and MySimon.com. In the time of posting this, no other CNET sites are involved in the campaign, including ZDNet’s international sites such as, ZDNet India, ZDNet U.K, and ZDNet Australia, but the abovementioned ones. Three more sites part of CNET Networks’ portfolio, getting injected with more IFRAMEs, abusing their search engine’s local caching, and storing of any keyword feature, in a combination with a loadable IFRAME. Over 51,900 pages at zdnetasia.com continue to be indexed by search engines. ZDNet Asia have taken care of the IFRAME issue, so that such injection is no longer possible. However, the same IPs used in this IFRAME campaign, including two new domains introduced have been injected, and are loading at TV.com, News.com and MySimon.com, again pushing the fake “XP AntiVirus”, “Spyshredderscanner” and another fake codec called “MediaTubeCodec.exe”, hosted and distributed under two new domains.

Sites that are currently targeted:
ZDNet Asia – currently has around 52,000 injected pages.
TV.com – 51,000 locally hosted IFRAME injected pages.
News.com – 167 locally hosted pages, injection is ongoing.
MySimon.com – currently around 10 pages, the campaign is ongoing.

Domains and IPs that are behind the IFRAMEs:
do-t-h-e.com (69.50.167.166)
rx-pharmacy.cn (82.103.140.65)
m5b.info (124.217.253.6)
89.149.243.201
89.149.243.202
72.232.39.252
195.225.178.21

Malware hosts:
hotpornotube08.com (206.51.229.67)
hot-pornotube-2008.com (206.51.229.67)
hot-pornotube08.com (206.51.229.67)
adult-tubecodec2008.com (195.93.218.43)
adulttubecodec2008.com (195.93.218.43)
hot-tubecodec20.com (195.93.218.43)
media-tubecodec2008.com (195.93.218.43)
porn-tubecodec20.com (195.93.218.43)
scanner.spyshredderscanner.com (77.91.229.106)
xpantivirus2008.com (69.50.173.10)
xpantivirus.com (72.36.198.2)
bestsexworld.info (72.232.224.154)
requestedlinks.com (216.255.185.82)

Only two pieces of malware currently served, XP AntiVirus 2008 and a fake codec.
What’s important to note is that this is the current state of the campaign, and with the huge number of IFRAME-ed pages in such a way, targeted attacks on a per keyword basis are possible, and since they ensure you’re served on the basis of where you’re coming from, things might change pretty fast. These domains above are the ones that follow after IFRAME redirects for all the campaigns currently detected.

Malware files:
MediaTubeCodec.com – 11% Scanners (4/36) found malware at 2008/03/06 16:38:39 (EET). File Size : 85520 byte, MD5 : 25708e1168e0e5dae87851ec24c6e9f7, SHA1 : 33b502b13cab7a34bb959d363ae4b7afd23919a6. Detected as:
AVG – I-Worm/Nuwar.P
Fortinet – Suspicious
Prevx – TROJAN.DOWNLOADER.GEN
Quick Heal – Suspicious – DNAScan

MediaTubeCodec.com tries to connect to websoftcodecdriver.com; websoftcodecdriver2.com and 77.91.227.179, in between listening on local port 1034. The downloader tries to drop Adware.Agent.BN – “Adware.Agent.BN is an adware program that displays pop-up advertisements and adds a runkey to run at startup, and also modifies Windows system configuration in order to download more malwares on to infected computer.” and RogueAntiSpyware.AntiVirusPro – “RogueAntiSpyware.AntiVirusPro is a Rogue Anti-Spyware product which comes bundled along with a malicious downloader. It is downloaded and installed without the users consent.”

Spyshredderscanner.exe – 42% Scanner(15/36) found malware at 2008/03/06 17:02:23 (EET). File Size : 33224 byte, MD5 : bc232dbd6b75cc020af1fcf7cee5f018, SHA1 : fc2f70fd9ce76fe2e1fe157c6d2d8ba015ad099f, detected as Win32.FraudTool.SpyShredder and Downloader.MisleadApp.
Opening local port 1034 and tries to connect to 69.50.168.51, ATRIVO = RBN’s well known netblock.

Share this item with others:

Posted in Mass Web Attacks |  Print This Post