Attackers inject 55.000 websites with cocktail of Trojans
Posted: Mon Aug 24, 2009 6:45 pm
Hi malware fighters and users of NS,
Attackers were succesfull in injecting 55.000 websites with an exploit,
that treats visitors to a "potent Trojan cocktail", according to ScanSafe:
http://blog.scansafe.com/journal/2009/8 ... ktail.html
To hacked websites an iframe was added redirecting to the exploit-site.
The exploit then downloads other exploits and malware from various domains.
This is a cocktail consisting of backdoors, passwordstealers and downloaders.
The following Google Search will generate 55.000 hits:
http://www.google.nl/search?hl=en&clien ... art=0&sa=N
The malware comes from following domains: ahthja.info, gaehh.info, htsrh.info,
car741.info, game163.info, car963.info, and game158.info, of which ahthja.info is most active,
with malicious software including 3869 trojans, 2691 scripting exploits, 2513 exploits.
This site was hosted on 1 network(s) including AS4837 (CNC).
The hosts blocklist can be found here: http://www.blackerror.com/blockip/240809.txt
Mentioned iframes were built with a builder, that was released just a couple of days ago,
we will keep you informed,
luntrus
Attackers were succesfull in injecting 55.000 websites with an exploit,
that treats visitors to a "potent Trojan cocktail", according to ScanSafe:
http://blog.scansafe.com/journal/2009/8 ... ktail.html
To hacked websites an iframe was added redirecting to the exploit-site.
The exploit then downloads other exploits and malware from various domains.
This is a cocktail consisting of backdoors, passwordstealers and downloaders.
The following Google Search will generate 55.000 hits:
http://www.google.nl/search?hl=en&clien ... art=0&sa=N
The malware comes from following domains: ahthja.info, gaehh.info, htsrh.info,
car741.info, game163.info, car963.info, and game158.info, of which ahthja.info is most active,
with malicious software including 3869 trojans, 2691 scripting exploits, 2513 exploits.
This site was hosted on 1 network(s) including AS4837 (CNC).
The hosts blocklist can be found here: http://www.blackerror.com/blockip/240809.txt
Mentioned iframes were built with a builder, that was released just a couple of days ago,
we will keep you informed,
luntrus