Things are looking quite iffy for a large number of sites

SophosLabs are in the process of contacting one of the people hit by this latest burst of Troj/Iffy-B infections.

The reason that this one caught my eye was that on the same site was a copy of Exp/QTP-A.

First, let us look at the Troj/Iffy-B infections!

Click on picture for larger image.

As for previous flowcharts describing web attacks that we’ve included in this blog :

  • green arrow: iframe
  • red arrow: exploit
  • solid line: between different domains
  • dotted line: between files on the same domain

Ultimately, Troj/Iffy-B will attempt to download a Trojan, proactively detected as Mal/Behav-066, via Iframes and exploits.

This brings me back to the occurrence of Exp/QTP-A on the initial hacked website. For many years now, the importance of ensuring that desktops are kept up to date with the latest patches has been highlighted, but these regular infections of webservers shows that it is just as important to ensure all machines, including webservers are monitored and maintained at the same level