Full Disclosure mailing list archives
Re: More High Profile Sites IFRAME Injected
From: "worried security" <worriedsecurity () googlemail com>
Date: Sat, 15 Mar 2008 08:44:29 +0000
On Wed, Mar 12, 2008 at 2:51 PM, Dancho Danchev <dancho.danchev () gmail com> wrote:
The ongoing monitoring of this campaign reveals that the group is continuing to expand the campaign, introducing over a hundred new bogus .info domains acting as traffic redirection points to the campaigns hardcoded within the secondary redirection point, in this case radt.info where a new malware variant of Zlob is attempting to install though an ActiveX object. Sample domains targeted within the past 48 hours : lib.ncsu.edu; fulldownloads.us; cso.ie; dblife.cs.wisc.edu; www-history.mcs.st-andrews.ac.uk; ehawaii.gov; timeanddate.com; boisestate.edu; aoa.gov; gustavus.edu; archive.org; gsbapps.stanford.edu; bushtorrent.com; ccie.com; uvm.edu; thehipp.org; mnsu.edu; camajorityreport.com; medicare.gov; usamriid.army.mil http://ddanchev.blogspot.com/2008/03/more-high-profile-sites-iframe-injected.html Regards -- Dancho Danchev Cyber Threats Analyst/Blogger http://ddanchev.blogspot.com http://windowsecurity.com/Dancho_Danchev
i call government involvement... <worried> if u are a government who wants an attack highly known about do you A) attack some random blog, or b) attack high profile news website? <worried> if are a gov who wants an attack highly known about,written about by the biggest technology sites, and investigated by everybody whos interested in security <worried> an unknown blog or a high profile news website <worried> a normal hacker would not do whats been done <worried> just to get some gay passwords <worried> this is the gov with a politcal agenda <worried> their not normal hackers they are state sponsored or are the actual us-gov <worried> normal hackers who want passwords do not hack cnet asia, they want their attack to be unfound as long as possible <worried> a normal hacker would not do whats been done <worried> just to get some gay passwords for world of warcraft <worried> why would a normal hacker who jsut wants a few gaming passwords hack a news site ? <worried> i would not want the media's attention or the global security research community knowing what i was doing, i would at all costs do everything possible to make sure news websites like cnet did not get infected <cryptowave> i've just spent the last several hours doing malware analysis that links back to china <worried> americans would make an attack link back to china <cryptowave> well, they are pretty convincing when every thing points back to china <cryptowave> domains registered there, ip located there, code with chinese <cryptowave> and they used chinese dollars to register the domains? <cryptowave> and used chinese email addresses too <worried> yes, all bases would be covered <worried> proper gov hackers know ppl like u are going to check details like that <worried> they put it on a high profile technology news website to make sure the attack was covered by internet news and the thing they wanted the security experts to find is the chinese connection <cryptowave> you don't need to write your code in chinese, register your domains via chinese registrars, use a chinese email address, etc <worried> western goverment hackers or western state sponsored hackers would go that far to convince everyone. <cryptowave> worried: you're jumping to conclusions ;) <worried> whoever is behind this wanted the attack to be known about and investigated with the core objective that the blame is on china <worried> and funnily enough the western gov world has a political agenda on that very topic right now, coincidence? <worried> the fact cnet asia,trend micro was hacked makes me highly suspicious of government involvement, normal hackers who just want a few gay gaming passwords, they would be the last people they would hack. <worried> this is political, this is done by the government to further bring public notice about chinese hackers as a pretext to ramp up the need for cyber commands, convince the whitehouse about offensive cyber security funding etc etc and the joe average middle american who dont know anything about the internet. these are my conspiracy theories, good bye dancho. what i say is probably bullshit, but you've got to wonder why the high profile sites, especially the biggest technology journalist site and anti virus site was hacked, why would a normal hacker do this for gay passwords?, all the benefits and rewards from this would be a government wanting an attack investigated that links back to china. our supposed number one cyber enemy, according to western super powers. they hacked cnet asia to make sure the asian news were covering the attack as well, to make sure the eventual finding of the china link was known by the public in asia as well. there is more to this than meets the eye of just normal hackers trying to get passwords, because of the type of the first websites which were hacked. a government here is wanting maximum publicity, thats not something small time hackers trying to get world of warcraft passwords want. there is a political game going on here that i don't understand, this isn't just a case of teeny boppers wanting passwords, something else is a foot. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- More High Profile Sites IFRAME Injected Dancho Danchev (Mar 12)
- Re: More High Profile Sites IFRAME Injected worried security (Mar 15)
- Re: More High Profile Sites IFRAME Injected Razi Shaban (Mar 15)
- Re: More High Profile Sites IFRAME Injected taneja . security (Mar 15)
- Re: More High Profile Sites IFRAME Injected Valdis . Kletnieks (Mar 17)
- Re: More High Profile Sites IFRAME Injected worried security (Mar 18)
- Re: More High Profile Sites IFRAME Injected Valdis . Kletnieks (Mar 17)
- Re: More High Profile Sites IFRAME Injected worried security (Mar 18)
- Re: More High Profile Sites IFRAME Injected Razi Shaban (Mar 15)
- Re: More High Profile Sites IFRAME Injected worried security (Mar 15)