Symantec is tracking more and more
high-traffic Web sites that become compromised and then used to spread
malicious code. After the breach our MSS team spotted out on Tata, we have been notified of another Web site with a similar issue.
Today the Italian Web site www.emule-italia.it had been compromised and was hosting an obfuscated script:
The script, when deobfuscated, was showing an iframe pointing to
http://[REMOVED]xes.com/ld/grb, which was redirecting users to a server
(http://[REMOVED]fir.com/cgi-bin/mail.cgi?p=grobin) hosting the Neosploit tool. Neosploit is forcing vulnerable PCs to download and install the latest version of the infamous Trojan.Mebroot.
Symantec notified the ISP involved about this issue and the ISP has
since worked to remove the malicious content from the affected Web
site. High-traffic Web sites are becoming more and more targeted,
because the huge number of visits they receive turns into a huge number
of machines getting compromised in a short period of time. Therefore,
application security is even more important for these sites: periodic
penetration testing, code review, and sound application security
practices (please see http://www.symantec.com/business/solutions/whitepapers.jsp?solid=security) in the overall development lifecycle can protect site owners from these kind of threats.
A very special thanks to Mr. Marco Cazzaniga for this heads up and for providing his continuous support to our team.