Threat Type: Malicious Web Site / Malicious Code
There are further similarities too between the two mass attacks. Resident on the latest malicious domain is a tool used in the execution of the attack. An analysis of that tool can be found in the ISC diary entry here. Mentioned in that diary entry is http://www.2117[removed].net. Our blog on that attack can be found here. It appears that same tool was used to orchestrate this attack too.
Now the attackers are referring to a file hosted on the new domain of http://www.nihao[removed].com:
Sites of varying content have been infected including UK government sites, and a United Nations website as can be seen by the Google search results below.
The number of sites affected is in the hundreds of thousands:
Evidence of a compromise on a United Nations website:
Evidence of a compromise on a UK government website:
Evidence of a compromise on a Chinese tourism website:
Casualties of the previous attack included various US news web sites, a major Israeli shopping portal, and numerous travel sites.
Websense security customers are protected against this attack.