Beladen payload site changes to Shkarkimi

Date:06.04.2009

Threat Type: Malicious Web Site / Malicious Code

Websense Security Labs™ ThreatSeeker™ Network has detected that the payload site for the mass compromise known as Beladen, has changed from Beladen to Shkarkimi. The new site is hosted on the same IP address as Beladen and the exploits it serves are the same. The obfuscated typosquatting domain of Google-Analytics leading to the exploit site Shkarkimi is still massively injected. We can confirm that, as of the time of writing, around 30,000 Web Sites are injected with code that eventually leads to Shkarkimi. For more details about this attack, please see our blog on Beladen.

Screenshot of the redirect to Shkarkimi:

The flow of the attack remains the same as before, except that users are automatically redirected to a dynamically generated subdomain of shkarkimi instead of beladen.

As you can see, shkarkimi has a very similar network topology to Beladen. Yesterday, Google Security Team posted a list of the top ten malware domains which included googleanalystlcs.net as one of the top 10 malware sites. The injection of googleanalytlcs.net into legitimate sites is what we're tracking when we refer to "Beladen". Beladen as we've named it, was the initial landing page for this attack, but attackers, as previously mentioned are now using shkarkimi.net as the final landing page.

As we continue to monitor this attack, we will publish any interesting findings.

Websense® Messaging and Websense Web Security customers are protected against this attack.

•  Subscribe to this feed »