Spyware Warrior Spyware Warrior
Help with Spyware, Hijacking & Other Internet Nuisances
 
FAQ :: Search :: Memberlist :: Usergroups :: Register
Profile :: Log in to check your private messages :: Log in

Malware pushed via iframe injection on Cnet related sites

 
Post new topic   Reply to topic    Spyware Warrior Forum Index -> Security Notices & News
View previous topic :: View next topic  
Author Message
olliver
Expert Developer


Joined: 27 Jan 2006
Last Visit: 02 Dec 2010
Posts: 1157
Location: yes
PostPosted: Thu Mar 06, 2008 3:07 pm    Post subject: Malware pushed via iframe injection on Cnet related sites Reply with quote
Our favourite Eastern European cybercrime gang, usually hide in the Intercage/Esthost vaults or posing as Turkish fake ISPs, has figured out a way to abuse an iframe implementation found on Cnet related sites to replace the original target with malware forwarders. And thus, someone visiting these sites will be cordially greeted with fake video codecs, rogue javascript prompts and all the crud usually associated with Russian/Ukrainian malware bidniz

It all started with the Cnet Asia site:
http://ddanchev.blogspot.com/2008/03/zdnet-asia-and-torrentreactor-iframe-ed.html
http://ddanchev.blogspot.com/2008/03/rogue-rbn-software-pushed-through.html

The iframe issue on Cnet Asia was finally fixed, however the spammers moved on to the associated sites that still have the same vulnerability:
http://ddanchev.blogspot.com/2008/03/more-cnet-sites-under-iframe-attack.html

Olliver
_________________
Petcord netlabel :: Synflict post-digital arts :: Leftob audio cast
Each click on any of the links above will save the life of a cute kitty somewhere in the universe.
Back to top
View user's profile Send private message
olliver
Expert Developer


Joined: 27 Jan 2006
Last Visit: 02 Dec 2010
Posts: 1157
Location: yes
PostPosted: Mon Mar 10, 2008 1:42 pm    Post subject: Reply with quote
The saga continues with a couple of new targets:
http://ddanchev.blogspot.com/2008/03/wiredcom-and-historycom-getting-rbn-ed.html

Olliver
_________________
Petcord netlabel :: Synflict post-digital arts :: Leftob audio cast
Each click on any of the links above will save the life of a cute kitty somewhere in the universe.
Back to top
View user's profile Send private message
wawadave
Warrior Obsessed


Joined: 25 Jan 2004
Last Visit: 24 Jul 2009
Posts: 3448
Location: Illegitimus non carborundum
PostPosted: Wed Mar 12, 2008 10:12 am    Post subject: Reply with quote
thx for this info!!
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd
Back to top
View user's profile Send private message Send e-mail Visit poster's website
olliver
Expert Developer


Joined: 27 Jan 2006
Last Visit: 02 Dec 2010
Posts: 1157
Location: yes
PostPosted: Wed Mar 12, 2008 10:40 am    Post subject: Reply with quote
wawadave wrote:
thx for this info!!

You're welcome. However, I'm just the messenger and all praises should be directed to Dancho Danchev for his research, rather than me Wink.
Speaking of it, our favourite Eastern European malware gangs have found even more vulnerable high PR sites and are currently using them for pushing a new Zlob variant:
http://ddanchev.blogspot.com/2008/03/more-high-profile-sites-iframe-injected.html

Olliver
_________________
Petcord netlabel :: Synflict post-digital arts :: Leftob audio cast
Each click on any of the links above will save the life of a cute kitty somewhere in the universe.
Back to top
View user's profile Send private message
datababe
Warrior


Joined: 13 Dec 2004
Last Visit: 10 Oct 2012
Posts: 217
Location: Inside your head
PostPosted: Tue Mar 18, 2008 11:42 am    Post subject: Reply with quote
Well, I guess it was kind of a given RBN wouldn't stay down for long.

http://arstechnica.com/news.ars/post/20080318-ongoing-iframe-attack-proving-difficult-to-kill.html

Quote:
The rapidity of the payload shifts is explained by the economic nature of the RBN.

Yep - where there's a fast buck to be made, greed won't give up the chase easily. Rolling Eyes

I think I'll go see if any more high risk investment firms are about to tank. Razz
_________________
- Datababe
Until you spread your wings, you'll have no idea how far you can walk.
http://redoakranch.x10hosting.com
http://datababe007.blogspot.com
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    Spyware Warrior Forum Index -> Security Notices & News All times are GMT - 8 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



smartBlue Style © 2002 Smartor
Powered by phpBB © 2001, 2002 phpBB Group