After CNET, other high profile sites like Wired.com are getting iframe injections. And our friends of the RBN seems to be involved (again). Another excellent analysis by Dancho Danchev:
Read Full article .Key summary points :
- the same malicious parties behind the CNET and TorrentReactor's IFRAME injection are also the ones behind Wired.com and History.com's abuse of input validation
- the IFRAME injection entirely relies on the lack of input validation within their search engines, making executable code possible to submit and thereforeautomatically execute upon accessing the cached page with a popular search query
- many other domains have been introduced within the IFRAMEs, a complete list of which you can find in this post, several directly hosted within RBN's network
- the main domain serving the heavily obfuscated VBS malware is located within the Russian Business Network's known netblocks
- given the high page ranks of the current and the previous targets, it is evident that the malicious parties are prioritizing based on the possibility to abuse input validation on high page rank-ed sites, presumably in an automated fashion
- Keep it Simple Stupid works, as since they cannot find a way to embedd the IFRAME at these hosts, a clear indicating of the fact that they've breached them, they figured out a way to inject the IFRAMEs and again take advantage of the high page ranks to attract traffic by gaining on popular key words, or any kind of key words that they want to
Security4all Blog
Twitter
Slideshare
Facebook
Digg
Flickr
0 comments:
Post a Comment