SophosLabs blog

Last night, Graham sent me an email with a link to Roger’s Information Security Blog detailing the hacking of the legendary singer Van Morrison’s website.

From the description of the hack I would have expected Sophos to have been detecting the site as Mal/Iframe-F. Naturally, I visited the site, in a secure manner, to see what I could see. Unfortunately, I didn’t see an Iframe as described.

What I did see was a heavily obfuscated script injected into the page that references an iframe. A quick analysis of the obfuscated script revealed that it adds an iframe to the page to load content from a remote site (blacklisted for Sophos customers since Oct 7th). The WHOIS record that remote site strangely says:

Address : 56/2 Sun str.
City : Dallas
Province/State : beijing


This morning I wrote detection for the obfuscated script, as Troj/Iframe-DD.

After further digging on our systems we have seen multiple infections on this site:

• Mal/Badsrc-A first seen 2009-10-15
• Mal/iframe-F first seen 2009-08-05

How long has the site been infected? and how many infections will it have before the sites security is updated?

Posted on October 22nd, 2009 by Pob, SophosLabs, UK
Filed under: Malware, Web

                                         

Windows 7 security - A great leap forward or business as usual?

Related posts

• Get a domain - get infected
• Learning Wales gets you infected
• Get married - get infected
• Watch football - get infected.
• Communist Party Of Britain’s website infected with malware