*CORRECTION* National Pharmaceutical Control Bureau of Malaysia Web site Compromised
Threat Type: Malicious Web Site / Malicious Code
Websense Security Labs™ ThreatSeeker™ Network has detected that the the Web site of the National Pharmaceutical Control Bureau of Malaysia has been compromised and injected with malicious code. The Web host has been injected with an iframe that leads to a site laden with exploits.
Screenshot of the injected Web site:
Screenshot of the injected source code:
The compromised IP address hosts several Malaysian Web sites related to health, academics, religion and more:
If the user's browser is successfully exploited, a malicious file is downloaded and run from the exploit site. The malicious file has an extremely low AV detection rate at the time the file was checked. The file (MD5: f5edb567e3ad5fbc8e0119230c0cbb6a) is a Trojan downloader that downloads and installs more malicious components on the system, along with a rogue AV program called "Home Antivirus 2010."
The rogue AV program installed:
07.23.2009 UPDATE: The Web host's IP address at 220.127.116.11, that has been injected with the IFrame has been cleaned by the Webmaster and no longer serves malicious content.
07.27.2009 CORRECTION: The National Pharmaceutical Control Bureau of Malaysia website has not been compromised. A directory hosted on the same IP address that the National Pharmaceutical Control Bureau of Malaysia website is hosted on has been compromised. In order for a user to be infected the user would have to visit the IP address and navigate to a specific directory hosted on that IP address.
Websense® Messaging and Websense Web Security customers are protected against this attack.