Explore the latest news and trends  

Keep yourself up to date with one of the following options:

  • Explore more news around Spam/Phishing, Malware/Cyber-attacks and Antivirus
  • Receive news and special offers from SPAMfighter directly in your inbox.
  • Get free tips and tricks from our blog and improve your security when surfing the net.
Go

Nu.nl Website Contracts Trojan Sinowal

Dutch Web-surfers lately became targets of a one hijacked website, which reportedly was the widely-visited news site, nu.nl of Holland. Actually, after compromising the website, the same was recreated for installing one malevolent iFrame, which caused visitors' computers becoming contaminated with Sinowal, the Trojan from Russia, noted Trend Micro.

Investigator Feike Hacquebord of Trend Micro blogged that cyber-criminals exploited a security flaw within the 'Content Management Systems' of the news website letting them to inject the gs.js and g.js scripts inside the sub-domain of nu.nl. Trendmicro.com published this dated March 20, 2012.

Designed for a particular task, the scripts examined vulnerability within Adobe Reader; the Flash plug-in; as also the Web-browser. Incase any attack code was noticed the C&C (command-and-control) server dispatched the Sinowal that's constantly made up-to-date while attempting at filching users' bank information. To thrive on a PC, Sinowal remains within its Master Boot Sector, while gets loaded whenever the system restarts.

Unfortunately as per investigation, the scripts, which Trend Micro identified as JS_IFRAME.HBA, were found as extremely obfuscated which on running took users onto still one more script, which downloaded different exploits.

These exploits identified as JS_BLACOLE.HBA, actually, was the Nuclear Pack toolkit for attack codes. On running, it looked for vulnerable software on the infected computer followed with downloading a suitable attack code.

Meanwhile, it isn't clear about the way the cyber-criminals managed in positioning the JavaScript onto Nu.nl's server. Nu.nl, when offline, acted as a criminal JavaScript exploit.

Now, an exploit working effectively, produced the TROJ_SMOKE.JH installer that in turn produced the Sinowal sample TROJ_SINOWAL.SMF. During the contamination, this Sinowal sample came under Trend Micro's notice, the company said.

Additionally, TROJ_SINOWAL.SMF further pulled down another item which contaminated the target system's MBR.

Encouragingly, Nu.nl posts that the Trojan no longer exists on the website. Moreover, editors and managers have been provided fresh login details. And, examination of the existing material has been done for any other possible malware.

Meanwhile, the news-site hijacking infected a few visitors with Sinowal. Hence, it's advisable that end-users see for probable malware on their computers as also follow the required eradication guidelines obtainable online.

Related article: New Zealand Releases Code To Reduce Spam

ยป SPAMfighter News - 29-03-2012

3 simple steps to update drivers on your Windows PCSlow PC? Optimize your Slow PC with SLOW-PCfighter!Email Cluttered with Spam? Free Spam Filter!

Exchange Anti Spam Filter
Go back to previous page
Next