placement for flash
  • RSS Feed

  • Categories

  • Tags

  • Archive

  • Calendar
<<  November 2009  >>
MoTuWeThFrSaSu
2627282930311
2345678
9101112131415
16171819202122
23242526272829
30123456

  • Articles by Author

  • Recent posts

  • Blogroll

AIRC Home  
6/15/2009 4:15:00 PM

Turkish governmental websites under attack

by Bahaa Naamneh

Several Turkish governmental websites have come under web attacks. The following websites have been compromised and obfuscated JavaScripts and IFrame tags have been injected into them:

http://[hidden]isar.meb.gov.tr
http://[hidden]ele.meb.gov.tr
http://[hidden]kale.meb.gov.tr
http://[hidden]lu-gsim.gov.tr
http://[hidden]zigrsh.gov.tr

Each of the IFrame tags leads to a different malicious domain which ends up downloading a variety of Trojans including infostealers, and botnet Trojans.

One of the IFrames leads to a bit interesting malicious script with a 0 detection rate in VirusTotal (We have already added a signature for this script, and it will be available in the next update).

That obfuscated script involves a great deal of HTML tags in the obfuscation routine in such a way it saves data, needed for the de-obfuscation JavaScript routine, into HTML tags.

The script then downloads a Trojan Downloader which once it runs, downloads another FTP accounts stealing Trojan. The latter searches the file system and the registry for multiple FTP clients for saved FTP accounts and sends them to a Chinese domain:
http://f97q.cn/r4/t1.php


Currently rated 5.0 by 1 people

  • Currently 5/5 Stars.
  • 1
  • 2
  • 3
  • 4
  • 5

Tags:

Malweb

emailEmail   Digg thisDigg this   del.icio.usdel.icio.us   Slashdot It!Slashdot It!
Permalink | Comments (0)


Add comment



 






Note: Comments are reviewed before posting and offensive and inappropriate content and language will not be published.
 
© Aladdin Knowledge Systems Ltd. 1985-2009. All rights reserved.