Security Labs


  digg   |   |     reddit
  newsvine   |     furl   |     technorati Compromised


Threat Type: Malicious Web Site / Malicious Code

Websense Security Labs™ ThreatSeeker™ Network has detected that the site has been compromised and injected with malicious code. The Web site belongs to a high-profile advertiser on the Internet realm. It's important to note that serves advertising content from, and that this site is clean. The injected code is part of an ongoing mass injection campaign that compromised thousands of legitimate Web sites. Websense Security labs have been tracking this campaign for months.

The exploits associated with this attack are:

Microsoft DirectShow CVE-2008-0015
Microsoft Snapshot Viewer CVE-2008-2463
Microsoft Data Access Components (MDAC) CVE-2006-0003
AOL ConvertFile() remote buffer overflow exploit

There is also an autoloading malicious PDF file that holds the next vulnerabilites:

Adobe Reader and Acrobat 8.1.1 buffer overflow CVE-2007-5659
Adobe Acrobat and Reader 8.1.2 buffer overflow CVE-2008-2992

Screenshot of the injected Web site:

Screenshot of the injected source code:

If the user's browser is successfully exploited, a malicious file is downloaded and run in the user's Windows home directory from another collaborated exploit site. The malicious file (SHA1: 6776489a0ed889fbabb317763c7c913fdc782631) has an extremely low AV detection rate at the time the file was checked.

Websense® Messaging and Websense Web Security customers are protected against this attack.