YAWI -- Mal/Badsrc-C

Filed Under: Malware, SophosLabs

On Friday, SophosLabs saw that the website of a major African Sunday newspaper was infected with Mal/Badsrc-C. We took steps to contact the sites owners and the site is thankfully now clean. So this morning the African diaspora instead of being infected by various pieces of Malware (Troj/Iframe-AU, Mal/JSShell-B, and Mal/TinyDL-T) can read news from home without fear of infection.

So why am I blogging about Yet Another Website Infected (YAWI)? Well the graph that our automated systems generated due to this infection was interesting.

paper.jpg

The first line of nodes on the graph are websites infected with Mal/Badsrc-C including the African newspaper and an American University. The right hand side of the graph will attempt to download and install Mal/TinyDL-T. My colleagues Fraser and Vanja will be discussing this part of the graph in their talk, on Thursday, at the Virus Bulletin Conference in Ottawa.

The part that interested me was the group of nodes on the left hand side (highlighted in purple). All four of these purple nodes are or lead to:

  • Pay-Per-Click (PPC) sites
  • Get Paid To (GPT) sites
  • Search Engine Optimisation (SEO) sites

This attack is an example of Affiliate web-based malware and I will be talking about it further, on Wednesday, at the Virus Bulletin Conference.

If you have any comments about this blog article or any other please email via sophosblog@sophos.com.

You might like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s