Nu.nl Website Contracts Trojan Sinowal

Dutch Web-surfers lately became targets of a one hijacked website, which reportedly was the widely-visited news site, nu.nl of Holland. Actually, after compromising the website, the same was recreated for installing one malevolent iFrame, which caused visitors' computers becoming contaminated with Sinowal, the Trojan from Russia, noted Trend Micro.

Investigator Feike Hacquebord of Trend Micro blogged that cyber-criminals exploited a security flaw within the 'Content Management Systems' of the news website letting them to inject the gs.js and g.js scripts inside the sub-domain of nu.nl. Trendmicro.com published this dated March 20, 2012.

Designed for a particular task, the scripts examined vulnerability within Adobe Reader; the Flash plug-in; as also the Web-browser. Incase any attack code was noticed the C&C (command-and-control) server dispatched the Sinowal that's constantly made up-to-date while attempting at filching users' bank information. To thrive on a PC, Sinowal remains within its Master Boot Sector, while gets loaded whenever the system restarts.

Unfortunately as per investigation, the scripts, which Trend Micro identified as JS_IFRAME.HBA, were found as extremely obfuscated which on running took users onto still one more script, which downloaded different exploits.

These exploits identified as JS_BLACOLE.HBA, actually, was the Nuclear Pack toolkit for attack codes. On running, it looked for vulnerable software on the infected computer followed with downloading a suitable attack code.

Meanwhile, it isn't clear about the way the cyber-criminals managed in positioning the JavaScript onto Nu.nl's server. Nu.nl, when offline, acted as a criminal JavaScript exploit.

Now, an exploit working effectively, produced the TROJ_SMOKE.JH installer that in turn produced the Sinowal sample TROJ_SINOWAL.SMF. During the contamination, this Sinowal sample came under Trend Micro's notice, the company said.

Additionally, TROJ_SINOWAL.SMF further pulled down another item which contaminated the target system's MBR.

Encouragingly, Nu.nl posts that the Trojan no longer exists on the website. Moreover, editors and managers have been provided fresh login details. And, examination of the existing material has been done for any other possible malware.

Meanwhile, the news-site hijacking infected a few visitors with Sinowal. Hence, it's advisable that end-users see for probable malware on their computers as also follow the required eradication guidelines obtainable online.

Related article: New Zealand Releases Code To Reduce Spam

» SPAMfighter News - 3/29/2012