Adobe's Serious Magic site SQL Injected by Asprox botnet
"The infection, which resides at hxxp://www.seriousmagic.com/help/tuts/tutorials.cfm?p=1, instructs users browsers to silently install a malicious file from a series of domains known to host attack sites. Adobe announced its acquisition of Serious Magic two years ago and whois records indicate the company is the owner of the seriousmagic.com domain.
According to this post from anti-virus provider Sophos, Adobe was notified of the infected page on Friday. The Register visited the link (using a virtual machine, of course) on Thursday and found it was still trying to redirect users to a series of nefarious sites including hxxp://abc.verynx.cn/ w.js and hxxp://1.verynx.cn/w.js. While those links no longer appeared to be active, two other sites used in the attack, hxxp://jjmaobuduo.3322.org/csrss/ w.js and hxxp://www2.s800qn.cn/csrss/ new.htm, were still active at time of writing."
With the asprox botnet making an appearance at the sites of Redmond magazine, and Sony Playstation in May and June respectively, seriousmagic.com is once again among the several hundred sites injected with the same malicious domains. Let's take a peek at this malware campaign, and see where it ends.
www2.s800qn.cn /csrss/ new.htm www2.s800qn.cn /csrss/ flash.htm www2.s800qn.cn /csrss/ i1.htm www2.s800qn.cn /csrss/ f2.htm www2.s800qn.cn /csrss/ i1.html www2.s800qn.cn /csrss/ flash112.htm www2.s800qn.cn /csrss/ ff.htm www2.s800qn.cn /csrss/ xl.htm www2.s800qn.cn /csrss/ mi.htm www2.s800qn.cn /csrss/ real10.htm www2.s800qn.cn /csrss/ real11.htm bbexe.com /csrss/ rondll32.exe
Despite Adobe's delayed response and the fact that the domains are still active, they seem to have solved the issue by redirecting all traffic from the site to the clean adobe.com.