thersa.​org.uk, infected.

Posted on Μαΐου 13th, 2008 από Simos Xenitellis

Probably through SQL injection, this page of thersa.org.uk links to a javascript file from some server in China

The screen­shot shows the thersa.​org.uk web­site has been infec­ted, and users that visit it end up run­ning in their browsers mali­cious JavaS­cript code. The code loads Javas­cript files from the .cn and the .la domains.

There is a ref­er­ence in one of the files to a cookie named killav (Kill Anti­virus?) that may dis­able some anti­virus programs.

In addi­tion, one of the JavaS­cript files checks which browser you have. If you have Inter­net Explorer 6 or 7, it loads some exploit which attempts to run binary code. If this suc­ceeds, you are infec­ted. If you have Fire­fox, it does not attempt to per­form an infec­tion, and it goes to the next phase.

The next phase is to open up pages to sites in China. It appears to me that the bus­sines plan in that case is to gen­er­ate rev­enue from ad hits.

The worst thing how­ever is if you get infec­ted. Unpatched win­dows sys­tems are at the mercy of these attackers.

One way to mit­ig­ate such risks is to use Moz­illa Fire­fox, and have the NoScript add-​on installed.

Update 5 June 2008:

The RSA updated their web­site by moving it away from Win­dows and ASP, to open source soft­ware. They are using Centos Linux, Apache, and an open-​source CMS. There­fore, the above secur­ity risk does not apply any more.

Tags: security //

Discussion Area - Leave a Comment




« Προβληματικές συμπεριφορές στο adslgr.​com/​Forum του Linux Parsing XKB files with antlr »