If that’s not a pattern and good timing, it’s a malicious anomaly. On the 31 of August, 2007, Bank of India was serving malware courtesy of the Russian Business Network. This week, evidence that the U.S Consulate in St. Petersburg, Russia was serving malware to its visitors proved to be true. The web site is now clean, but assessing the IFRAME-ed URLs used in the attack is possible as they’re still reachable. It’s still unknown for long the IFRAMEs remain embedded at the Consulate’s web site, as well as when were they cleaned, but the attack was still active on the 2nd of September, 2007, just two days after Bank of India’s malware attack. It’s also worth mentioning that compared to the most recent malware embedded attacks which had the IFRAMEs directly embedded within, in this one the IFRAME itself is obfuscated but the live exploit URL isn’t.
recent paper, the increased use of automation to continually re-encrypt/pack/obfuscate the Trojans highlights the need for good generic detection technology. A system to continuously monitor these files in order to maintain detection is essential. So, to answer the question of whether the U.S. Consulate General site was specifically targeted in this attack – my answer is no, probably not. The prevalence of other much smaller sites compromised in exactly the same way (in just seven days worth of data) suggests that the hackers just happened to have caught a big fish as they trawled for vulnerable servers. It just goes to show that security is important on all machines hosting both small and large websites.“