If you have visited the website of anti-virus company Trend Micro this week there is a chance that your computer has been exposed to malware.
According to reports in the Japanese media, a number of webpages on the firm’s Japanese and English-language website were altered by hackers on Sunday 9 March, who used a malicious iFrame exploit to deliver a Trojan horse onto surfers’ computers. Trend Micro is believed to have uncovered the problem on Wednesday 12 March and replaced affected pages with a message saying “This page is temporarily shut down for emergency maintenance” as the following image from the http://www.trendmicro.co.jp shows:
It has not yet been revealed how the webpages on the security website were altered by the hackers, although it is likely a software vulnerability on the site was exploited.
According to information posted on Trend Micro’s website, the following analysis pages were compromised in Trend’s Virus Info section: ADW_BRUNME.A, ADW_ZANGO.A, ADWARE_ADBLASTER, ADWARE_EXACTADVERTISING, ADWARE_EZULA.ILOOKUP, TSPY_AGENT.HS, TSPY_ANICMOO, TSPY_GOLDUN.GEN, TSPY_HUPIGON.ZY, TSPY_Lmir, TSPY_Tiny, ADWARE_BHO_WEBDIR, ADWARE_BHO_WSTART, HKTL_MDBEXP.A, POSSIBLE_OTORUN3, SPYWARE_TRAK_RADMIN, TROJ_ARTIEF-1, TROJ_CLAGGER.D, TSPY_BANKER-2.002, TSPY_BANKRYPT.N, TSPY_GAMANIA.CI,
TSPY_GOLDUN.GEN, TSPY_LINEAGE, TSPY_ONLINEG.DAU, TSPY_ONLINEG.OAX, TSPY_QQPASS, TSPY_SDBOT.BTI, W97M_DLOADER.BKV, WORM_IRCBOT.JK, WORM_NYXEM.E and WORM_SOBER.AG.
Sophos detects the malicious software associated with the attack as Mal/Iframe-F, Troj/Drop-I, and the Troj/Portles-E backdoor Trojan horse. Analysts have discovered thousands of other webpages (detected as Troj/Badsrc-A) on other websites that have been infected in the same way.
In a nutshell – what has happened here is a criminal act, and our friends at Trend Micro (and people visiting the hacked pages) are victims of the crime. Sadly it’s not an uncommon crime these days – and all kinds of businesses have suffered.
This isn’t the time or place to make cheap shots against a competitor. The good news is that Trend Micro took the affected webpages down as soon as they discovered there was a problem, and the problem no longer appears to exist.
All other companies with a web presence should take this unfortunate incident as an opportunity to check that their own websites are properly secured (see our recently published technical paper on the subject), and ensure that they have web-filtering solutions – like the WS1000 Web Appliance – in place.
Sophos discovers a new infected webpage every 14 seconds. In the past we’ve found websites as varied as Wedding Photographers, Antiques firms, Pilates Classes, Ice Cream Manufacturers and even the US Consulate General in St Petersburg who have been the unfortunate victims of a malicious web attack. It seems we now have to add anti-virus companies to that list.
PS. Trend Micro aren’t the first example of a security company’s website being hacked. For instance, in 1999 hackers changed the home page of Symantec – although in that instance the motivation was apparently to cause mischief rather than to spread malware.