VanMorrison.com Iframe

Saw a virus alert today. A user performed an AOL Search (that alone should be banned in our end user behavior policy) on "van morrison" (another termination office). He/She clicked on a link for www.vanmorrison.com. The antivirus detected an iframe attack. Manually looking at www.vanmorrison.com's source, I currently see a iframe loading 'http://iqsp.ru:8080/index.php'. Perhaps someone can remind me, aren't there sites like virus total where you can send them a link and they'll tell you what's up. I haven't yet ...

Saw a virus alert today. A user performed an AOL Search (that alone should be banned in our end user behavior policy) on "van morrison" (another termination office). He/She clicked on a link for www.vanmorrison.com. The antivirus detected an iframe attack.

Manually looking at www.vanmorrison.com's source, I currently see a iframe loading 'http://iqsp.ru:8080/index.php'. Perhaps someone can remind me, aren't there sites like virus total where you can send them a link and they'll tell you what's up. I haven't yet learned javascript deobfuscation but that didn't look like good stuff was happening.

So I took a sacrificial lamb system. (still dangerous don't try this at home). And went to www.vanmorrison.com using various security systems to see what the result was.

Bluecoat - detected the virus on the site. Blocked Access to the entire site.
Scansafe - detected the virus on the site. blocked access to the entire site.
Purewire - site loaded. Wanted me to install Flash (seemed legit but I didn't do it). Java started up. I was prompted to download a file and run a ActiveX control. I chose not to install the ActiveX control but I did download the file. It was a pdf file.

Virus total saw the pdf file first on October 16th (today is the 21st). Currently 13 out of 41 venders are detecting this as a virus. Did I mention signature detection is dead dead dead.

Did you notice the link to the Russian site is on port 8080? I wonder how many HTTP security implementation are proxying 8080 traffic in addition to 80.


Read Full Article
GSO
Written on Wednesday, 21 October 2009 08:55 by GSO

Viewed 66 times so far.
Like this? Tweet it to your followers!
Published in Subscribe to the RSS feed of Network Security & Hacking News  Network Security & Hacking News / Subscribe to the RSS feed of Latest Security News  Latest Security News
Like this? Let your friends know now!

Rate this article

Latest articles from GSO

Latest 'tweets' from GovernmentSecurity

  • News Update: Cyber war is coming, the impact could be huge: CBS News reports that cyber.. http://bit.ly/1tx1kr | #Security Link Monday, 09 November 2009 07:35
  • News Update: Tenable Network #Security Podcast - Episode 11: Welcome to the Tenable Netw.. http://bit.ly/2Iqd6G | Security Link Monday, 09 November 2009 07:35
  • News Update: Consent will be required for cookies in Europe: EDITORIAL: A law that dema.. http://bit.ly/3JYgip | #Security Link Monday, 09 November 2009 07:35
  • News Update: CBS 60 Minutes tackles cyber-terrorism: Could hackers get into the compute.. http://bit.ly/2d5Y21 | #Security Link Monday, 09 November 2009 07:35
  • Blog Update: We have launched the new GovernmentSecurity.org: We decided to launch th.. http://bit.ly/2G1SSF | #Security Link Saturday, 07 November 2009 17:38
blog comments powered by Disqus
back to top

Site Search

Disqus Tools