Troj/Unif-B: A media friendly Trojan? Possibly…

In his post at the end of last week Dancho Danchev reported some of Possibility Media’s online publications serving up malware.

Doing a search though the SophosLabs data, we also see Possibility Media related infections. Below is a diagram illustrating one of the more complex attacks we have seen. (Note that over 3000 other compromised web pages are omitted from the diagram to maintain clarity.)

Possiblity Media

The Possibility Media site (detected as Troj/Unif-B) is highlighted in yellow at the center of the picture. As you can see, the complexity arises from the site linking to three different attack sites! When I checked the domain it appeared to be parked (although the placeholder page still contains the malicious script).

The websites of magazines owned by Possibility Media are all PHP-based and so it may be that hackers compromised the sites via some PHP vulnerability. The magazines all have contact details pointing to the ‘Tech Media Network’ whose contact details are a Possibility Media email address.

We are seeing a large number of other web sites compromised with Troj/Unif-B. Most of these sites are compromised to link to only one attack site:

Simpler Troj/Unif-B

As for the previous diagram, a large number of web pages are not plotted for clarity. In this case, the total number of sites compromised in the attack is just over 1300.

At first glance you might think Possibility Media were specifically targeted in these attacks. However, when you look at the bigger picture (for example the sheer number of sites compromised to link to the attack sites in the first image) it is clear that the hackers are targeting more than just Possibility Media. They are targeting you, the web user.