AegisLab discovered many "mail.htm" were trojanized by drive-by download attack with embedded <iframe>. By now, there are 311 victim websites and increasing.


If you connect to the victim website without HTTP referer, it will redirect you to Google website.

Victim #1: 

 

Victim #2: 

 

Victim #3:  

 

But with porper HTTP referer, you will be redirected to the following websites:

  • hxxp://online-cammunity.ru:8080/forum/w.php?f=182b5&e=2
  • hxxp://zenedin-zidane.ru:8080/forum/w.php?f=5e91c&e=4 
  • hxxp://spb-koalitia.ru:8080/forum/w.php?f=182b5&e=2
  • (and more...)
You can see the polymorphic URLs have the similar type: {hostname}.ru:8080/forum/w.php?f=...
 
"Onerussiaboard.ru", "online- cammunity.ru", "mysqlfordummys.ru" are no longer valid currently but the latest domain hxxp://spb-koalitia.ru:8080/forum/w.php?f=182b5&e=2 is still alive. As we know, Google Safe Browsing doesn't block it yet (see figure below)

 

 

Besides "mail.htm", we found many "upload.htm" are also trojanized due to the software packages they use are vulnerable.

 

The software packages that victim websites use listed as below:

  • hxxp://www.r-toto.com.cn/mail.htm -> Metinfo 4.0
  • hxxp://www.tiyidi.com/mail.htm -> Discuz X2
  • hxxp://www.kshaoye.com/mail.htm -> WordPress 3.4.1

  

Finally, the program we downloaded from malicious websites is called "win32.exe" and its detection rate in VT is as below:


AegisLab WebGuard has blocked all of the malicious websites and Antivirus can destroy the malicious program.