[ Security Alert ] 30 September, 2010 13:54

   In our previous article, Security Alert 2010-09-21: Yahoo Group Are Misused by Spammer, we mentioned that there are some SPAM mail take advantage of Yahoo Groups service to redirect user to final web page. In last example was Canadian Pharmacy, now let's look at another one.

Figure 1: Inside mail body, only URL directed to Yahoo Groups.


Figure 2: The image inside public message of that group contains hyperlink to final target.

Figure 3: When user clicks the image, a online dating site is shown.

    We think there are two reasons for spammer to use such indirect method. The first one is, in currently deployed anti-spam appliance or software, most of them filtering the URL contained inside mail by using white/black list or web reputation system. Since Yahoo is a big company, such method might have higher survival rate. The second one is, users also more trust big company, thus, they may have more confidence to follow the link.

   Just remind you to keep watch the risk of using computer networks.

 By AegisLab

[ Security Alert ] 29 September, 2010 13:23

    AegisLab disclovered a online learning web site, moodle.njtc.edu.tw, was invaded and injected lots of SEO poisoned web page. The hopping site is "", but the download path to malware executables are changed quite freqently. Currently the download IP includes "", "", "" and etc. The malware executable has low detection rate (18%) at this moment. 

Attack Path:
[search] http://www.google.com
 [root] hxxp://moodle.njtc.edu.tw/v/v/unitarian91022.php
  [script] hxxp://
    [virus] hxxp:// 

    Detection rate of downloaded executable in VT( http://www.virustotal.com/file-scan/report.html?id=33b3bdcab268c18f46b9530664c3d25ffb84fa52d0a25be174ff28bf70a05b6d-1285727106

    The Google SafeBrowsing didn't flag the above URLs as malicious, but Lionic started to stop the hopping site from 2010-9-21.

    Other infected web pages are located under hxxp://moodle.njtc.edu.tw/v/v/,  336 pages in total.

By AegisLab

[ Security Alert ] 28 September, 2010 17:15

    With constantly tracking for drive-by-download and malware distribution , we found the OnlineGames Trojan families is still very active for several years, which have the polymorphic capabilities

    Here we disclose domestic site which is suffered by web site injection and a drive-by-download will lead user to this Trojan.


 [script]hxxp://www.liteflux.com/english/trim.js <- This script is injected with malicious link.
    [virus] hxxp://www.txgjj.com/images/s.exe

Figure 1, Injected Script File.


[ Product News ] 21 September, 2010 16:46


    Weeks eariler, we saw Google Code are misused by putting malware on it, now we also observed the spammer take advantages of people's trust for big company to redirect the URL inside the spam mail.

    A spam mail contains a URL link toward the Yahoo Groups, people usually trust the big companies, and then people visit the website of Yahoo. Since the group is configured as open, the spammer hints user to follow the links on the web page. And evently, user is redirected to Canada Pharmacy web site.

   Attacker and spammer now learned how to utilize free internet services as their hopping site.

 By AegisLab

[ Product News ] 17 September, 2010 11:44

-- Update in 2010-09-23 --

    With non-stop tracking of "invisiblebert.in", we found more vulnerable site but the detection rate is still very low. One victim is "hxxp://www.yio-shen.com.tw" which has more than 300 pages are polluted with SEO redirections.

    "invisiblebert.in" has low detection 6% (1/17) today, but Lionic blocked it from 2010-09-12.

    The final downloaded malware also has low detection rate 23.3% (10/43) in VT. ( http://www.virustotal.com/file-scan/report.html?id=333d5781ac3c0ed80cc76c8e8f94fc395aee2a64eba87eb436712f79e5bc4559-1285221104 )


 -- Orignally post in 2010-09-17 --

    AegisLab, security research group of Lionic Corp., constantly monitors the SEO based malicious web pages, which usually lead to drive-by-download, fake AV, scare-ware, online drug stores and etc. With our special technology and effort in discovery of SEO(Search engine optimization) based attack, we found new vulnerable site and new attack path today. The downloaded malware has very low detection rate, and the attack path is never discovered by other malicious URL database. But we discovered similiar attack path 4 days before and added it into our blacklist already.


    Here we disclose an attack path as the example.


[search] http://google.com (with popular keywords)

[root] hxxp://model.win-e.com.tw/images/model/school1.php   [PageRank:1]
  [script] hxxp://invisiblebert.in/search/search.php
   [script] hxxp://
    [script] hxxp://
      [script] hxxp://


[ Product News ] 16 September, 2010 17:27


    Today, we formally release the signatures to block AD in Youtube player screen. Lionic’s MiniGuard can set easily to block the advertisement on Youtube, and the snapshot of MiniGuard setting page is shown as below. It provides a very friendly user interface for configuration.

     “Lionic’s application guard offers a useful and convenient mechanism for Youtube Ads. We assist the user to block any annoying advertisements when they are watching a movie on Youtube. It’s been integrated and could be demonstrated by our reference design-MiniGuard. After a simple settings, users can easily have a nice experience in browsing YouTube. ” Mr. Eric Lu, CEO of Lionic commented.     Lionic is keep researching & developing the more user-friendly features on our Miniguard, and always plan ahead to think what features can benefit users and also provide the best applications for uses’ internet life. 


 [Eariler post in 2010-09-10]

     In past days, our customers complained Youtube displayed the advertisement in the movie canvas. It will occupy around one of fifth of the screen, and more annoying compared with advertisement put on elsewhere. See below figure.

      Even though Youtube provides some accout setting for user to turn on/off playing advertisement, but user seldom tweak the settings. Also, for anonymous user, there is no option to deal with it.

      Now, AegisLab will release a set of signature that can deploy in the gateway devices, all users under the gateway device with policy enabled is free from Youtube AD, oh yes!!


By AegisLab 

1 2  Next»