Its just not safe out there anymore....
Last week's massive IFRAME injection attack is slowly turning into a what looks like a large scale web application vulnerabilities audit of high profile sites. Following the timely news coverage, Symantec's rating for the attack as medium risk, StopBadware commenting on XP Antivirus 2008, and US-CERT issuing a warning about the incident, after another week of monitoring the campaign and the type of latest malware and sites targeted, the campaign is still up and running, poisoning what looks like over a million search queries with loadable IFRAMES, whose loading state entirely relies on the site's web application security practices - or the lack of.
What has changed since the last time? The number and importance of the sites has increased, Google is to what looks like filtering the search results despite that the malicious parties may have successfully injected the IFRAMEs already, thus trying to undermine the campaign, new malware and fake codecs are introduced under new domain names, and a couple of newly introduced domains within the IFRAMES themselves.
Keep it Simple Stupid for the sake efficiency is what makes the campaign relatively easy to track once you understand the importance of hot leads, and real-time assessments for the purpose of setting the foundation for someone else's upcoming piece of the puzzle in an OSINT manner. The main IPs within the IFRAMES acting as redirection points to the newly introduced rogue software and malware, remain the same, and are still active. The very latest high profile sites successfully injected with IFRAMES forwarding to the rogue security software and Zlob malware variants :
USAToday.com, ABCNews.com, News.com, Target.com, Packard Bell.com, Walmart.com, Rediff.com, MiamiHerald.com, Bloomingdales.com, PatentStorm.us, WebShots.com, Sears.com, Forbes.com, Ugo.com, Bartleby.com, Linkedwords.com, Circuitcity.com, Allwords.com, Blogdigger.com, Epinions.com, Buyersindex.com, Jcpenney.com, Nakido.com, Uvm.edu, hobbes.nmsu.edu, jurist.law.pitt.edu, boisestate.edu.
Which are the main IPs injected as IFRAME redirection points?
NetRange: 126.96.36.199 - 188.8.131.52
CIDR: 184.108.40.206/16, 220.127.116.11/17
NetType: Direct Allocation
descr: NETCATHOST (full block)
remarks: Abuse contacts: email@example.com
inetnum: 18.104.22.168 - 22.214.171.124
changed: firstname.lastname@example.org 20070619
inetnum: 126.96.36.199 - 188.8.131.52
changed: email@example.com 20070619
Newly introduced malware serving domains upon loading the IFRAMES :
mynudedirect.com/3/5144 (184.108.40.206) loads mynudenetwork.com/flash2/?aff=5144 (220.127.116.11) which attempts to load mynudenetwork.com/load.php?aff=5144&saff=0&sid=3 where the malware is attempting to load upon accepting the ActiveX object :
Scanners Result: Result: 12/32 (37.5%)
File size: 107536 bytes
Moreover gift-vip.net/images/index1.php (18.104.22.168) is still loading from the previous campaign, this time pointing to webmovies-b.com/movie/black/0/21/411/0/ (22.214.171.124), and of course, e.pepato.org/e/ads.php?b=3029 (126.96.36.199) :
Scanners Result: 2/32 (6.25%)
JS.Feebs.rv; JS/Feebs.gen2 @ MM
File size: 16098 bytes
We also have vipasotka.com/in.php?adv=5032&val=43c46ed2 (188.8.131.52) loading and redirecting to golnanosat.com/in.php?adv=5058&val=e32a412f (184.108.40.206)
Scanners Result : Result: 11/32 (34.38%)
File size: 61440 bytes
Last but not least is d08r.cn (220.127.116.11) a new domain introduced within the IFRAMES, which is also responding to, another scammy ecosystem :
For the time being, Google is actively filtering the results, in fact removing the cached pages on number of domains when I last checked, the practice makes it both difficult to assess how many and which sites are actually affected, and of course, undermining the SEO poisoning, as without it the input validation and injecting the IFRAMEs would have never been able to attract traffic at the first place.
The attack is now continuing, starting two weeks ago, the main IPs behind the IFRAMES are still active, new pieces of malware and rogue software is introduced hosting for which is still courtesy of the RBN, and we're definitely going to see many other sites with high page ranks targeted by a single massive SEO poisoning in a combination with IFRAME injections. Which site is next? Let's hope not yours, as if you don't take care of your web application vulnerabilities, someone else will.
More High Profile Sites IFRAME Injected
More CNET Sites Under IFRAME Attack
ZDNet Asia and TorrentReactor IFRAME-ed
Rogue RBN Software Pushed Through Blackhat SEO
Massive RealPlayer Exploit Embedded Attack
Another Massive Embedded Malware Attack
Yet Another Massive Embedded Malware Attack
Massive Blackhat SEO Targeting Blogspot
Massive Online Games Malware Attack