Mi blog lah! Το ιστολόγιό μου

13May/080

thersa.org.uk, infected.

Probably through SQL injection, this page of thersa.org.uk links to a javascript file from some server in China

The screenshot shows the thersa.org.uk website has been infected, and users that visit it end up running in their browsers malicious JavaScript code. The code loads Javascript files from the .cn and the .la domains.

There is a reference in one of the files to a cookie named killav (Kill Antivirus?) that may disable some antivirus programs.

In addition, one of the JavaScript files checks which browser you have. If you have Internet Explorer 6 or 7, it loads some exploit which attempts to run binary code. If this succeeds, you are infected. If you have Firefox, it does not attempt to perform an infection, and it goes to the next phase.

The next phase is to open up pages to sites in China. It appears to me that the bussines plan in that case is to generate revenue from ad hits.

The worst thing however is if you get infected. Unpatched windows systems are at the mercy of these attackers.

One way to mitigate such risks is to use Mozilla Firefox, and have the NoScript add-on installed.

Update 5 June 2008:

The RSA updated their website by moving it away from Windows and ASP, to open source software. They are using Centos Linux, Apache, and an open-source CMS. Therefore, the above security risk does not apply any more.