The “window of opportunity” for traffic acquisition by taking advantage of a huge anticipated traffic is something malicious parties always find adaptive ways to take advantage of. Back in December, 2007, the same event based malware embedded attack appeared at a French government’s site covering France/Libya relations right in the middle of Libya’s leader visit in the country. My detailed analysis back then revealed details of the usual RBN connection, with IFRAME hosts switchng between HostFresh, Ukrtelegroup Ltd, and Turkey Abdallah Internet Hizmetleri, to surprisingly end up to the New Media Malware Gang original IP, futher confirming the existence of what’s now a diverse ecosystem.
The same timely malware embedded attack happened at the top of the Annual Weblog Awards site – The Bloggies as TrendMicro assessed on Monday :
An embedded malware screenshot is worth a thousand words, so here it goes attached, and IcePack’s now easily detectable module :
Scanner results : 47% Scanner(17/36) found malware!
File Size : 10666 byte
MD5 : 0860a1f5f1b27db14fedbfc979399fa4
SHA1 : 81c4ca763850fd3d675a0955ee6885ce83db53a5
Moreover, wilicenwww.biz/1/1/ice-pack/index.php is currently responding to 184.108.40.206, and besides the descriptive IcePack host, the IP also responds to the following domains :
So what? Historical CYBERINT untimately improves your situational awareness. Sicil.info was the main domain behind the Syrian Embassy in the U.K malware embedded attack. Back then, sicil.info was responding to 220.127.116.11, and now to 18.104.22.168, switching locations doesn’t mean a clean domain reputation anyway.