The Latest in IT Security

Answers.com hit by BlackHole

15
May
2012

In the morning of May 12th our malware outbreak sensors registered another BlackHole outbreak hitting one of the Top 200 Alexa rank domains: Answers.com. Its RSS feed generated resource was infected with BlackHole exploit kit. The XML output file at the URL feeds.answers.com was prepended with an obfuscated JavaScript. The malicious code looks like this:


The decrypted code creates a hidden IFRAME tag with malicious reference in it:

At the time of the infection discovery we have registered couple of malware-serving domains:

vjlnwoof.dhcp.biz: 146.185.255.191 hosted in Russian Federation

mvulhlky.tld.cc: 199.59.241.250 hosted in China

ring.t3.estrack.net: 220.77.243.249 hosted in South Korea

The malicious JavaScript is detected by the latest version of AVG as variant of Script/Exploit.Kit Trojan family. If recognized by AVG LinkScanner it is reported as BlackHole Type exploit.

While writing this article our sensors reported another alert on a domain Staticyonkis.com. Their advertisement delivery is infected by the same BlackHole malware. The number of blocked intrusions from this domain reported by our clients is around 496.000 hits and the number is still increasing. The VirusTotal detection ratio of this malware is rather low 7/42.

Jiri Kropac

Leave a reply


Categories

FRIDAY, SEPTEMBER 17, 2021
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments