Italian law firm knowingly serves up infected web pages

Filed Under: Malware, SophosLabs

If you got a call from a legitimate security source informing you that your website was infected, would you take action?

I certainly would, which is why I am rather frustrated when we take time to reach out to an organisation about a web infection, and they deliberately choose to do nothing about it.

Case in point: In January, Sophos contacted a Milan-based law firm, specialists in Intellectual Property, to inform them that its site was infected with Mal/Iframe-Gen.

Image of code
Turns out that they have not acted on the information we provided. In fact, if you look below, it looks like they haven't updated their site since November last year. We contact the firm again yesterday, and they are simply uninterested in dealing with the infection on their website.

pob@LinuxRed:~/nv$ wget -S
--2011-03-23 15:50:21--
Resolving NN.NNN.NN.NN
Connecting to|NN.NN.NN.NN|:80... connected.
HTTP request sent, awaiting response...
HTTP/1.1 200 OK
Content-Type: text/html
Last-Modified: Sat, 27 Nov 2010 05:21:35 GMT
Accept-Ranges: bytes
ETag: "c024c3f5f28dcb1:0"
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Wed, 23 Mar 2011 15:50:20 GMT
Connection: keep-alive
Content-Length: 6172
Length: 6172 (6.0K) [text/html]
Saving to: `index.html'

100%[======================================>] 6,172 --.-K/s in 0.09s

2011-03-23 15:50:21 (70.1 KB/s) - `index.html' saved [6172/6172]

Sophos detects the page as:

>>> Virus 'Mal/Iframe-Gen' found in file index.html

Most, though not all, Mal/Iframe-Gen infections are due to SQL injections. To find out more about web server security should consult this paper written by my colleague Fraser.

Advice to website owners: there are people out there like us who want to let you know when something is amiss. The communication method needs to be easy and straightforward. Please provide contact details on your sites to a webmaster or web administrator.

Oh, and when you are informed by a security company that you are infected, look into it and fix it quickly. Should you choose to ignore it, you are knowingly serving up infected pages to the public. That is perhaps not illegal in some parts of the world, but it probably should be.

, , , , , ,

You might like

3 Responses to Italian law firm knowingly serves up infected web pages

  1. Blaine · 1622 days ago

    We had an employee get infected from the website. We tried, but couldn't tell if the site itself was poisoned, or if it had a poisoned advertisement. Regardless, we blocked the site. There was some push-back, but the safety of the network is more important than access to an infected media website.

  2. Hello,

    Here in Switzerland the national domain name registrar is testing .ch and .li domains for malicious code (drive-by infectious code only). If malware has been found, the holder of the domain is contacted and able to eliminate the problem. If not, is allowed by law to discontinue the domain[1].

    If this approach is handled carefully and monitored properly, it's quite effective to prevent scenarios like the one you have described here.




  3. Dan · 1619 days ago

    Welcome to the wonderful world of Italian lawyers... you're lucky they didn't threaten to sue you.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul O Baccas (aka pob) joined Sophos in 1997 after studying Engineering Science at Oxford University. After nearly 16 years, he has left Sophos to pastures new and will be writing as an independent malware researcher. Paul has: published several papers, presented at several Virus Bulletins and was a technical editor for "AVIEN Malware Defense Guide". He has contributed to Virus Bulletin and is a frequent contributor to the NakedSecurity blog.