Blog da Zscaler

Receba as últimas atualizações do blog da Zscaler na sua caixa de entrada

Inscreva-se
Security Research

Worldfest, Houston Website Compromised Before The Start Of The Event

image
THREATLABZ
April 04, 2011 - 2 Min. de leitura
Today, one of our blog readers, Mr. Steve Kennedy posted a comment saying his antivirus alerted on “http://www.worldfest.com”. It appeared to be related to the Blackhole exploit kit, which I’d discussed in a previous blog post. This site turns out to be the official website for the Houston International Film Festival. The 44th annual WorldFest event will be held from April 8 to 17, 2011. Here is the screenshot of the home page:

Image

 

 

 

The malicious JavaScript code is injected at the bottom of the main page as can been seen in the attached screenshot:

Image

 
 

The malicious JavaScript is heavily obfuscated to evade detection. A decoded version of the JavaScript contains code that looks legitimate at first glance. A malicious iframe is then inserted in the middle of this decoded content. Here is the screenshot:

Image

 

 

 

Unfortunately, for this blog we were unable to retrieve any malicious contents because the iframed site simply redirects to Google. This may be due to the fact that the attackers have crafted the page to only deliver the payload if certain conditions have been met (i.e. correct user agent, particular geography, etc.), however, despite various approaches, we were unable to retrieve malicious content from the page. Here is the packet capture of the redirect:

Image

 

 

 

The website sets a cookie and redirects to Google. This cookie may be used by the attacker to track previous victims in order to ensure that the payload is only delivered one time. This is another common technique to keep the attack under the radar. This site was registered on 30th March 2011 in Ukraine. Here is the whois lookup,

Image

 

 

 

A Google for the query “WorldFest Houston 2011” returns this infected site as the first search result, as shown below:

Image

 

Attackers often try to target popular events and the WorldFest is a valuable target with the event beginning on April 8th. This site will surely get plenty of traffic given that this is a popular film festival. We have informed the webmaster of the infection and will continue to monitor the site.

 

Happy Film Festival!

 

Umesh

form submtited
Obrigado por ler

Esta postagem foi útil??

Receba as últimas atualizações do blog da Zscaler na sua caixa de entrada

Ao enviar o formulário, você concorda com nossa política de privacidade.