English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1
Latest posting
By rating
By popularity

Join our blog

You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.

Incidents|Ticket site infected by Trojan-Downloader

Vitaly Denisov
Kaspersky Lab Expert
Posted January 30, 13:07  GMT
Tags: Website Hacks
0
 

We’ve just been contacted by a user who let us know that www.adoronin.ru has been infected with Trojan-Downloader.JS.Agent.bx. This Russian site can be used to book tickets for theatres, concerts, musicals, the circus and sporting events on-line. As there’s a lot of interest in the theatre and sports over here, the site gets pretty busy - a smart choice for a malicious user to infect a lot of systems.

So how did our user realize the site was infected? He clicked on an banner leading to the site. The banner was placed on mail.ru, which is one of Russia’s biggest Internet portals with more than 3 million users. But then his antivirus started to react, as he put it, "strangely". It clearly showed him that the page he was trying to access was infected. It didn’t show the adoronin address though, but an entirely different address. It was clear that code had been injected into the main page of the adoronin site - code that would then download Trojan-Downloader.JS.Agent.bx to the user’s machine.

The Web Anti-virus component of Kaspersky Anti-Virus 6.0 detected the malicious activity and asked the user if he wanted to block it. This prevented his machine from being infected. And it gave us and the site administrator a heads-up - working with us, he was able to clean his site.

Comment      Link

Incidents|Infected Valuehost servers

Vitaly Denisov
Kaspersky Lab Expert
Posted December 01, 15:28  GMT
Tags: Website Hacks
0
 

Yesterday, one of our users contacted us to tell us about the strange behaviour of his browser. He’d been looking at www.5755.ru - his browser opened a second web page, and his Web anti-virus warned him that a Trojan program was being downloaded.

The user went to this site after he'd seen it advertized on television. He almost fell victim to a malicious attack - the site’s homepage contained a script that downloads Trojan-Downloader.JS.Psyme.ct, which in turn downloads Trojan-Downloader.Win32.Tiny.eo. Of course, the malicious programs placed on the site change from day to day, but happyily, the Web anti-virus module in Kaspersky Anti-Virus 6.0 prevented this user from getting infected.

After investigating this a bit further, it turned out that at least 470 other servers had been subject to the same hacker attack. We found this out by entering a string from the script which had been injected into the site into Google.

All these servers had one thing in common - they were all hosted by Valuehost, the biggest hosting provider in Russia, which offers a home to more than 60,000 Russian web sites. Of course, the Valuehost administrators have been informed of the problem.

Comment      Link