Embedded Malware at Bloggies Awards Site

The “window of opportunity” for traffic acquisition by taking advantage of a huge anticipated traffic is something malicious parties always find adaptive ways to take advantage of. Back in December, 2007, the same event based malware embedded attack appeared at a French government’s site covering France/Libya relations right in the middle of Libya’s leader visit in the country. My detailed analysis back then revealed details of the usual RBN connection, with IFRAME hosts switchng between HostFresh, Ukrtelegroup Ltd, and Turkey Abdallah Internet Hizmetleri, to surprisingly end up to the New Media Malware Gang original IP, futher confirming the existence of what’s now a diverse ecosystem.

The same timely malware embedded attack happened at the top of the Annual Weblog Awards site – The Bloggies as TrendMicro assessed on Monday :

The Web site of the Annual Weblogs Awards — more informally known as the Bloggies — was hacked recently, serving up a malicious Javascript to its visitors. This happened on the eve of the award ceremony, as reported in NEWS.com.au.

An embedded malware screenshot is worth a thousand words, so here it goes attached, and IcePack’s now easily detectable module :

Scanner results : 47% Scanner(17/36) found malware!
File Size : 10666 byte
MD5 : 0860a1f5f1b27db14fedbfc979399fa4
SHA1 : 81c4ca763850fd3d675a0955ee6885ce83db53a5
HTML/Psyme.Gen; Trojan-Downloader.JS.Agent.et

Moreover, wilicenwww.biz/1/1/ice-pack/index.php is currently responding to, and besides the descriptive IcePack host, the IP also responds to the following domains :


So what? Historical CYBERINT untimately improves your situational awareness. Sicil.info was the main domain behind the Syrian Embassy in the U.K malware embedded attack. Back then, sicil.info was responding to, and now to, switching locations doesn’t mean a clean domain reputation anyway.

Author: Dancho Danchev

Leave a Reply

Your email address will not be published. Required fields are marked *