Virus encyclopaedia infects visitors with malware

Security vendor Trend Micro's UK and Japanese Web sites were hacked last week; attackers managed to inject malicious iFrames into their "virus encyclopaedia" pages.
Written by Tom Espiner, Contributor

Security vendor Trend Micro's UK and Japanese Web sites were hacked last week; attackers managed to inject malicious iFrames into their "virus encyclopaedia" pages.

Trend Micro's chief technology officer for Internet content security, Dave Rand, told ZDNet.com.au sister site ZDNet.co.uk on Friday that the company was investigating the attack.

"It was an iFrame-injection attack, which redirected users to a malicious site," said Rand. "We're still in the process of working on the details of how, why and what."

Security vendor Sophos said in a blog post that users stood a chance of being infected with a Trojan downloader, although Trend Micro could not confirm that claim, as the incident was still under investigation.

However, according to Rand, this incident was part of a wider attack on Web sites around the world that was reported by security vendor McAfee on Thursday. Rand said that 165,000 Web sites "and counting" had been affected.

On Wednesday morning, McAfee Avert Labs detected over 10,000 Web pages rigged to hijack Web surfers' PCs. The Web pages had been modified with code redirecting visitors to another site "laden with a malware cocktail" that attempted to break into the users' PCs, according to McAfee.

"The redirect and the attempted break-ins all happen unbeknownst to the Web surfer," said a McAfee spokesperson.

Compromised pages were detected on the Web sites of bodies including travel, government and hobbyist organisations. McAfee said that the Web pages were probably reprogrammed in an automated attack that included scanning the Internet for unsecured servers, and then planting a piece of JavaScript code redirecting users to a site in China that served up the malware.

"The malware cocktail attempts to exploit vulnerabilities in Windows, RealPlayer and other applications to break into the PC," said McAfee.

The blend of malware included a backdoor that allows installation of additional malicious programs and a keylogger for stealing online-gaming passwords.

"Cybercrooks have increasingly been targeting online gamers as items in virtual worlds, and characters in games have now got monetary value in the physical world," said McAfee.

Trend Micro's Rand said the attack on his company showed that "it's not possible to 100 percent secure any Web site today". Rand said it was likely that the incident had happened due to Trend allowing dynamically updated content to be executed on its site.

"This is indicative of the Web 2.0 phenomenon of allowing dynamically updated content on Web sites," said Rand. "In the act of doing multiple [search] queries, you can ask for certain information to be represented. Static sites don't allow search. As soon as you allow users to customise content, something bad can happen, as, essentially, you're allowing them to run code on the site."

Rand said that Trend Micro's site security was based on a mixture of using its own expertise and other security vendors' technologies. Rand added that none of Trend Micro's customers would have been affected by visiting the company's sites, as the vendor detects iFrame attacks.

Editorial standards