Israeli Institute for National Security Studies compromised, serving Poison Ivy DIY malware

The web site of the Israeli Institute for National Security Studies (INSS) has been compromised, and is currently serving client-side exploits and malware to its visitors.

According to security researchers from Websense,  the web site of the Israeli Institute for National Security Studies (INSS) has been compromised, and is currently serving client-side exploits and malware to its visitors.

Upon visiting its web site, users are exposed to malicious iFrame redirects, ultimately serving the client-side exploit from the following IP - 194.183.224.73.

The campaign ultimately exploits the well known Java vulnerability CVE-2012-0507, in an attempt to serve a copy of the Poison Ivy RAT (remote access tool).

Detection rate:

svchost.exe

MD5: 52aa791a524b61b129344f10b4712f52

Detected by 29 out of 42 antivirus vendors as Backdoor.Win32.Poison.dizt.

Upon execution, the sample connects to a Dynamic DNS command and control address at: ids.ns01.us

Websense has notified the affected web site, but so far hasn't heard back from its web master. According to the company, the attack appears to be isolated incident, and not part of a massive client-side exploits serving campaign currently circulating in the wild.