Many sites reported on the issue, from antivirus vendors to security professional’s blogs and online magazines. Whilst most of them just echoed what others said, some shed more light on it posting some interesting notes and only a few did an in-depth analysis worth of mention, the most relevant being:

• Sergio Hernando’s Blog (in Spanish)
• Dancho Danchev’s Blog
• Sophos
• Trend Micro
• The Register
• The Web Hacking Incidents Database
• CyberCrime Updates Blog
• Hackers Center Blog
• Net-Security
• Kriptopolis (in Spanish)

It’s interesting to note that all of them gave credit to my post as the first report on the issue, all except one: Trend Micro. The reason became clear when I read Paul Baccas’s post on SophosLabs:

“The interesting thing from my point of view is that Ismael’s screenshot (on Passionate about Information Security) suggests he is using Sophos Anti-Virus for Mac.”

So, there you go. It’s obvious that Trend Micro didn’t want to include a link to a post that included a screenshot of Sophos for Mac picking up the virus. Awesome!

On the other hand, it’s fair to say that Trend Micro posted an excellent report on the incident, including updates on their analysis:

Trend Micro Advanced Threats Analyst Ryan Flores also revealed that there is inserted code in the compromised websites that injects pages that look like blog entries into the compromised sites’ domain. The inserted pages contain various pharma information. Flores then states that this is possibly an SEO poisoning scheme, or a plot to use the legitimate domains of the compromised websites to evade spam filters.

…

Though no trace of malware was found in the other links, Trend Micro Antivirus Engineer Edgardo Diaz, Jr.suggests that this is possibly an advertisement scam or a massive malware attack in its early stage. This would also explain why parts of this threat do not appear to be fully functional. He warns, though, that since the website is already compromised, it’s just a matter of modifying the tags to turn the seemingly “non-malicious” injection of code into a full-blown malware attack.

Updated 5:49 PM: BKDR_TDSS.CG drops a rootkit that is then injected into SVCHOST.EXE. While injected, the rootkit attempts to connect to several websites to send and receive information.

Updated February 1, 2009: At this time, BKDR_TDSS.CG is also downloading an encrypted configuration file. Once decrypted, this file appears to contain commands to download other dll files and an updated copy of TDSSserv.sys, load certain modules from the dll files, upload log files (which contain error logs, process lists, and OS details), display popup ads, prevent security software from running, and set command delays. While the content of the files from the download URLs are not the same every time, this backdoor does keep accessing from the list of URLs even after completing its routine–so it may eventually get to access all URLs (except of course the currently inaccessible ones) it needs to achieve all mentioned functionalities.

I didn’t check the website for a while, but as of yesterday, embajadaindida.com redirects to embassyindia.es, a new domain that hosts a new website. This confirms what I was told by the Consul of India in Madrid when I called to report the incident last week. Back then I was told that the old compromised website was going to be replaced by a new one in the coming days.

Whether all these news pushed them to deploy it before they planned I don’t know, but at least we’re all glad that action was taken and that the site seems to be clean, by now…

Earlier this morning I was alerted to this problem by a colleague who was trying to access www (dot) embajadaindia (dot) com to sort out some paperwork related to my employer’s offices in India. When tried to load the site, the Desktop Antivirus displayed the following pop-up alert:

The alert description is fairly self-explanatory, though a quick look at the source code erases all doubt:

Everything indicates that the site was compromised and those invisible iframe tags appended to the index.php (and possibly other files too) to load multiple pieces of malware from the following domains:

• msn-analytics.net
• pinoc.org
• wsxhost.net

Obviously, do not visit any of these sites as, at the very least, it is known that they have facilitated the distribution of malicious software in the past. In fact, Google’s Safe Browsing Diagnostic page reports that one of those has hosted malicious sofware that has infected at least 33 domains in the last 90 days, as shown below.

Although the attack vector is still unknown, it’s likely to be due to either weak directory and file permissions or to a vulnerability in any of their PHP scripts. Actually, similar effects were reported to the Joomla! discussion forum back in September last year, so I guess we must be dealing with the same kind of attack.

I’ve personally reported this security issue to the Embassy of India in Spain, and it’s expected they will be taking some action to remove the iframe tags sooner rather than later. In the meantime, please DO NOT VISIT THE SITE.

Being a BSi instructor for the BS 25999 courses on Business Continuity, I find these kind of real-life examples very instructive for being used at class, although I try to to get students to talk about their own experiences as much as possible.

So have a look at The Planet outage – what can we all learn from it? and let me know your thoughts.

In the following weeks I’ll be creating a new section of my blog where I will put together a list of Business Continuity resources (among others) I can share with my students at class. So stay tuned!

I know it sounds funny, but so claims latest survey conducted by Infosecurity Europe over 576 office workers in London. According to that research, women are four times more likely than men to give out their passwords in exchange for a chocolate bar (45% of women compared to 10% of men).

However, results also indicate that up to 60% of men and 62% of women were happy to provide their names and telephone numbers when promised to enter a draw to go to Paris. With the percentage of people being fooled depending on the prize attractiveness (at the end of the day, all women love chocolate, don’t they) I wonder what the results would have been among men if the prize were football tickets or electronic toys…

While the real value of this ‘research’ is still uncertain (we don’t know how many people gave out a real password and how many just filled in any rubbish for a chocolate treat), the truth is that these year’s results are far better than those obtained in 2007, when 64% of people were ready to exchange their passwords for chocolate.

It’s also worth to mention that Infosecurity undertook this survey just a week before its annual exhibition at Olympia Centre, where nearly 12,000 visitors are expected. I’ve been there many times, and although I guess I would never give out my password for a chocolate bar, who has never given a business card to enter a draw to get a free ipod or an xbox at one of the hundred stands Infosecurity has?

Link to Press Release on Infosecurity website.