Trojan Distributed in New Mass Injection Attack via Java Downloader

[malcontent]

http://news.softpedia.com/news/Trojan-Distributed-in-New-Mass-Injection-Attack-via-Java-Downloader-174971.shtml

Security researchers warn that a new mass injection attack is underway directing the visitors of hundreds of websites to a malicious Java applet which downloads a trojan.

According to Denis Sinegubko, the creator of the Unmask Parasites Web scanner, the malicious code is added at the end of HTML pages on compromised websites and takes the form of an obfuscated JavaScript function.

When parsed by the browser, this function adds a rogue IFrame to the HTML document, which loads a new.htm page from aubreyserr.com, medien-verlag.de or yennicq.be.

According to statistics from Google's Safe Browsing service, around 2,000 websites link to these domains, giving a rough estimation of the attack's impact so far.

The page called by the IFrame loads a Hidden.jar applet deceptively titled "Java Update." This is a Java OpenConnection-type downloader whose only purpose is to download and execute a file called host.exe.

The three domains serving the malware are actually legitimate, but their corresponding websites have been compromised.

[danny96]

so be careful  
hope avast will detect it as soon as will can!

[Gargamel360]

Thanks.

Should have posted it here, though>>http://forum.avast.com/index.php?topic=52252.0

[DavidR]

The web shield is generally all over these hacked sites and obfuscated javascript like a rash, much more accurate than anything I've seen as this frequently shows in virustotal results.