The Doctor and his Secretary

The shift in how web sites have been compromised has been remarked on several times previously. Where hackers used to simply upload their tag for kudos, criminals now post malicious scripts and HTML in order to infect users browsing the site. Of course, occasionally the worlds collide, as was the case with an attack I came across this morning.

A couple of pages on a site offering MySpace layout templates were reported to us as infected with a script detected as Mal/Psyme-A. Closer examination of the pages show the host site to have been compromised, by someone known as Dr.php.

[Drphp tag]

The Mal/Psyme-A script attempts to install another piece of malware (undetected initially, subsequently we have added as Mal/Bifrose-H) from a remote site.

[Flowchart of attack]

The site from where Trojan is downloaded is another compromised site. Not compromised by Dr.php – but his secretary!

[Secretary tag]