InformAction Forums

Hi malware fighters and users of NS,

Attackers were succesfull in injecting 55.000 websites with an exploit,
that treats visitors to a "potent Trojan cocktail", according to ScanSafe:
http://blog.scansafe.com/journal/2009/8 ... ktail.html
To hacked websites an iframe was added redirecting to the exploit-site.
The exploit then downloads other exploits and malware from various domains.
This is a cocktail consisting of backdoors, passwordstealers and downloaders.
The following Google Search will generate 55.000 hits:
http://www.google.nl/search?hl=en&clien ... art=0&sa=N
The malware comes from following domains: ahthja.info, gaehh.info, htsrh.info,
car741.info, game163.info, car963.info, and game158.info, of which ahthja.info is most active,
with malicious software including 3869 trojans, 2691 scripting exploits, 2513 exploits.
This site was hosted on 1 network(s) including AS4837 (CNC).

The hosts blocklist can be found here: http://www.blackerror.com/blockip/240809.txt
Mentioned iframes were built with a builder, that was released just a couple of days ago,
we will keep you informed,

luntrus

Looks to require JavaScript, so NoScript users are protected right off.
Now why isn't a0v.org in this blocklist? (Though I'm sure there are many other domain that could be added too. Like li51, I think it was. And I'm sure there will be many others to follow.)

Sure spread quickly.
Many sites look to have cleaned it up already.
Many still have not.

Close to my heart, luntrus - - these ars*wholes are targeting the older members of society who would have most to lose if they're looking to invest in retirement kinds of houses, and the least experience with using the web.
And wasn't a user just recently asking for NS to allow unvetted code execution inside iframes? (No time to search)
Who ya gonna call?
Script Busters.
But probably not, sadly, for the users of those sites :-(