Attackers inject 55.000 websites with cocktail of Trojans

Talk about internet security, computer security, personal security, your social security number...
Post Reply
luntrus
Senior Member
Posts: 237
Joined: Sat Mar 21, 2009 6:29 pm

Attackers inject 55.000 websites with cocktail of Trojans

Post by luntrus » Mon Aug 24, 2009 6:45 pm

Hi malware fighters and users of NS,

Attackers were succesfull in injecting 55.000 websites with an exploit,
that treats visitors to a "potent Trojan cocktail", according to ScanSafe:
http://blog.scansafe.com/journal/2009/8 ... ktail.html
To hacked websites an iframe was added redirecting to the exploit-site.
The exploit then downloads other exploits and malware from various domains.
This is a cocktail consisting of backdoors, passwordstealers and downloaders.
The following Google Search will generate 55.000 hits:
http://www.google.nl/search?hl=en&clien ... art=0&sa=N
The malware comes from following domains: ahthja.info, gaehh.info, htsrh.info,
car741.info, game163.info, car963.info, and game158.info, of which ahthja.info is most active,
with malicious software including 3869 trojans, 2691 scripting exploits, 2513 exploits.
This site was hosted on 1 network(s) including AS4837 (CNC).

The hosts blocklist can be found here: http://www.blackerror.com/blockip/240809.txt
Mentioned iframes were built with a builder, that was released just a couple of days ago,
we will keep you informed,

luntrus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/531.0 (KHTML, like Gecko) Iron/3.0.189.0 Safari/531.0

User avatar
therube
Ambassador
Posts: 7469
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: Attackers inject 55.000 websites with cocktail of Trojans

Post by therube » Mon Aug 24, 2009 7:27 pm

Looks to require JavaScript, so NoScript users are protected right off.
Now why isn't a0v.org in this blocklist? (Though I'm sure there are many other domain that could be added too. Like li51, I think it was. And I'm sure there will be many others to follow.)

Sure spread quickly.
Many sites look to have cleaned it up already.
Many still have not.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.22) Gecko/20090605 SeaMonkey/1.1.17

Grumpy Old Lady
Senior Member
Posts: 240
Joined: Fri Jul 03, 2009 7:20 am

Re: Attackers inject 55.000 websites with cocktail of Trojans

Post by Grumpy Old Lady » Tue Aug 25, 2009 7:05 am

Close to my heart, luntrus - - these ars*wholes are targeting the older members of society who would have most to lose if they're looking to invest in retirement kinds of houses, and the least experience with using the web.
And wasn't a user just recently asking for NS to allow unvetted code execution inside iframes? (No time to search)
Who ya gonna call?
Script Busters.
But probably not, sadly, for the users of those sites :-(
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2

Post Reply