Web Facing Malware Rampage
By CXOtoday Staff
Mumbai, May 14, 2008

Trend Micro has identified over half a million Web pages that have been compromised by a Web attack. Affected websites are injected with a malware script (JS_SMALL.QT) resulting from a poor PHP Bulletin Board (aka, phpBB), a popular Internet forum software program, implementation.

Upon visiting affected websites, visitors are infected with a variant of the ZLOB family (TROJ_ZLOB.CCW) which poses as a video codec installer. When users download the purported video codecs they are actually downloading several Trojan horse programs:

* TROJ_DNSCHANG.CS

* TROJ_ALUREON.AE
* TROJ_ALUREON.AH
* TROJ_ALUREON.AI

These types of Trojans change an affected system's DNS server and Internet browser settings, thus making the system vulnerable to additional threats.

Many of the websites have already been compromised with fake pharmaceutical and pornographic spam. It appears that the first infection occurred in February 2008. The infections appear to have been carried out in forums and guest books. The original forum and guest book pages are now inaccessible as they redirect visitors to a porn site to download the fake video codec.

According to Ivan Macalintal, research manager (advanced threats) of Trend Micro, "This attack is similar to the Web threat attacks we are seeing worldwide, just visiting a compromised site leads to a series of redirections that causes the downloading of malware."

The malware is hosted on servers located in in the US and Moscow. This attack is potentially the work of a Russian/Ukranian criminal gang that have initiated previous ZLOB attacks over the course of the past year.


Related Links:
Panda Says Malware on the Rise
Malware Threat Level Up in 2007-08