How long has this been going on? Star's site infected

Filed Under: Malware, SophosLabs

Last night, Roger's Information Security Blog detailing the hacking of the legendary singer Van Morrison's website.

From the description of the hack I would have expected Sophos to have been detecting the site as Mal/Iframe-F. Naturally, I visited the site, in a secure manner, to see what I could see. Unfortunately, I didn't see an Iframe as described.

What I did see was a heavily obfuscated script injected into the page that references an iframe. A quick analysis of the obfuscated script revealed that it adds an iframe to the page to load content from a remote site (blacklisted for Sophos customers since Oct 7th). The WHOIS record that remote site strangely says:

Address : 56/2 Sun str.
City : Dallas
Province/State : beijing

This morning I wrote detection for the obfuscated script, as Troj/Iframe-DD.

After further digging on our systems we have seen multiple infections on this site:

How long has the site been infected? and how many infections will it have before the sites security is updated?

, ,

You might like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s