FYI...
Mass compromise ongoing, spreads fake antivirus
- http://blog.armorize.com/2011/08/k98...irus-mass.html
8.17.2011 - "On August 14, we started to see mass compromise of websites to inject malicious iframes that spread fake antivirus malware. The attack is ongoing... We estimate at least 22,400 unique DOMAINS. The attackers' first attempt was not successful and therefore google indexed more than 536,000 infected pages. However, since then the attackers have fixed the injected pattern and therefore the injected script is executed rather than displayed. Google therefore does not index infected websites any longer...
4. Browser Exploitation: Drive-by download script served by a modified version of the BlackHole exploit pack.
5. Malware: Fake antivirus, different names in different OS: "XP Security 2012" under Windows XP, "Vista Antivirus 2012" under Windows Vista, and "Win 7 Antivirus 2012" under Windows 7.
6. Injection method: Primarily via stolen FTP credentials, and then use automated program to FTP, retrieve files, inject iframe, and upload back. FTP credentials are stolen from personal Windows computers that have been infected with malware. Malware searches stored password files of FTP clients and also sniffs the FTP traffic. Stolen credentials are sent back to the attackers.
7. Malicious domains and IPs... (shown/listed at the armorize.com URL above.)
8. Antivirus detection rate: Currently 5 out of 43 on VirusTotal*..."
* https://www.virustotal.com/file-scan...061-1313382824
File name: contacts.exe_
Submission date: 2011-08-15 04:33:44 (UTC)
Result: 5/43 (11.6%)