The shift in how web sites have been compromised has been remarked on several times previously. Where hackers used to simply upload their tag for kudos, criminals now post malicious scripts and HTML in order to infect users browsing the site. Of course, occasionally the worlds collide, as was the case with an attack I came across this morning.
A couple of pages on a site offering MySpace layout templates were reported to us as infected with a script detected as Mal/Psyme-A. Closer examination of the pages show the host site to have been compromised, by someone known as
The Mal/Psyme-A script attempts to install another piece of malware (undetected initially, subsequently we have added as Mal/Bifrose-H) from a remote site.
The site from where Trojan is downloaded is another compromised site. Not compromised by
Dr.php – but his secretary!