Many sites reported on the issue, from antivirus vendors to security professional’s blogs and online magazines. Whilst most of them just echoed what others said, some shed more light on it posting some interesting notes and only a few did an in-depth analysis worth of mention, the most relevant being:

• Sergio Hernando’s Blog (in Spanish)
• Dancho Danchev’s Blog
• Sophos
• Trend Micro
• The Register
• The Web Hacking Incidents Database
• CyberCrime Updates Blog
• Hackers Center Blog
• Net-Security
• Kriptopolis (in Spanish)

It’s interesting to note that all of them gave credit to my post as the first report on the issue, all except one: Trend Micro. The reason became clear when I read Paul Baccas’s post on SophosLabs:

“The interesting thing from my point of view is that Ismael’s screenshot (on Passionate about Information Security) suggests he is using Sophos Anti-Virus for Mac.”

So, there you go. It’s obvious that Trend Micro didn’t want to include a link to a post that included a screenshot of Sophos for Mac picking up the virus. Awesome!

On the other hand, it’s fair to say that Trend Micro posted an excellent report on the incident, including updates on their analysis:

Trend Micro Advanced Threats Analyst Ryan Flores also revealed that there is inserted code in the compromised websites that injects pages that look like blog entries into the compromised sites’ domain. The inserted pages contain various pharma information. Flores then states that this is possibly an SEO poisoning scheme, or a plot to use the legitimate domains of the compromised websites to evade spam filters.

…

Though no trace of malware was found in the other links, Trend Micro Antivirus Engineer Edgardo Diaz, Jr.suggests that this is possibly an advertisement scam or a massive malware attack in its early stage. This would also explain why parts of this threat do not appear to be fully functional. He warns, though, that since the website is already compromised, it’s just a matter of modifying the tags to turn the seemingly “non-malicious” injection of code into a full-blown malware attack.

Updated 5:49 PM: BKDR_TDSS.CG drops a rootkit that is then injected into SVCHOST.EXE. While injected, the rootkit attempts to connect to several websites to send and receive information.

Updated February 1, 2009: At this time, BKDR_TDSS.CG is also downloading an encrypted configuration file. Once decrypted, this file appears to contain commands to download other dll files and an updated copy of TDSSserv.sys, load certain modules from the dll files, upload log files (which contain error logs, process lists, and OS details), display popup ads, prevent security software from running, and set command delays. While the content of the files from the download URLs are not the same every time, this backdoor does keep accessing from the list of URLs even after completing its routine–so it may eventually get to access all URLs (except of course the currently inaccessible ones) it needs to achieve all mentioned functionalities.

I didn’t check the website for a while, but as of yesterday, embajadaindida.com redirects to embassyindia.es, a new domain that hosts a new website. This confirms what I was told by the Consul of India in Madrid when I called to report the incident last week. Back then I was told that the old compromised website was going to be replaced by a new one in the coming days.

Whether all these news pushed them to deploy it before they planned I don’t know, but at least we’re all glad that action was taken and that the site seems to be clean, by now…

Earlier this morning I was alerted to this problem by a colleague who was trying to access www (dot) embajadaindia (dot) com to sort out some paperwork related to my employer’s offices in India. When tried to load the site, the Desktop Antivirus displayed the following pop-up alert:

The alert description is fairly self-explanatory, though a quick look at the source code erases all doubt:

Everything indicates that the site was compromised and those invisible iframe tags appended to the index.php (and possibly other files too) to load multiple pieces of malware from the following domains:

• msn-analytics.net
• pinoc.org
• wsxhost.net

Obviously, do not visit any of these sites as, at the very least, it is known that they have facilitated the distribution of malicious software in the past. In fact, Google’s Safe Browsing Diagnostic page reports that one of those has hosted malicious sofware that has infected at least 33 domains in the last 90 days, as shown below.

Although the attack vector is still unknown, it’s likely to be due to either weak directory and file permissions or to a vulnerability in any of their PHP scripts. Actually, similar effects were reported to the Joomla! discussion forum back in September last year, so I guess we must be dealing with the same kind of attack.

I’ve personally reported this security issue to the Embassy of India in Spain, and it’s expected they will be taking some action to remove the iframe tags sooner rather than later. In the meantime, please DO NOT VISIT THE SITE.