Alerts
BOOKMARK THIS ALERT
digg
|
del.icio.us
|
reddit
newsvine
|
furl
|
technorati
Microsoft MSN Korea
Date:06.03.2005
Threat Type: Malicious Website / Malicious Code
Earlier this week, Websense® Security Labs™ discovered malicious code on Microsoft's MSN NEWS Korea site. The code attempts to exploit multiple JavaScript, IE, MHT, and CHM vulnerabilities. If any of these attempts were successful, a Trojan was downloaded onto the computer.
The problem with the site was discovered as part of Websense's data mining process, which scans the internet for malicious websites. This site's characteristics were those of a site which has been compromised. Microsoft was advised immediately that their site was hosting malicious code.
The attempts were launched through an invisible, embedded iframe on the front page of MSN NEWS Korea. Merely visiting the site with a vulnerable browser was enough to become infected, which occurred without the user's knowledge. Anyone who may have visited the site recently is advised to scan their computer for infections.
Additional information from Microsoft on the incident can be found at:
http://msnbc.msn.com/id/8078108/
This Trojan installs itself as %systemroot%/system32/Internet.exe. The file is detected by some Antivirus companies as Trojan-PSW.Win32.Lineage.ez and PWS-Lineage.dll, and is designed to steal keystrokes from users of a popular internet game. The Trojan also installs the file %systemroot%/system32/hzdll.dll and adds a startup entry to the registry.
The site was hosting three malicious code files that would run without user intervention on vulnerable machines. The files were a password stealing Trojan horse called list.html, which was inserted as an IFRAME, and a file called vbs00302.gif, which is a malicious vb script (html.help.control). The Microsoft site was shut down on Tuesday and was back up and running later that afternoon without the malicious code.
Websense Security Premium Group was updated through a real-time security update and customers were protected during the time that the site was spreading malicious code. As of Tuesday, the site was fixed and was not spreading malicious code.