Compromised serving malware

One of the widely used technique by cyber criminal to promote thier malwares is by compromising a popular website that have a large number of visitor and host a malicious code on the webpage to make it infecting users. this is not good for the company reputation and will make the botnet circulate further.

New case have been reported today by Symantec security researchers where have been compromised to infect user with the Rig EK. this is an exploit kit that will search for vulnerable system to install banking Trojans such as Infostealer.Dyranges, and Zbot (Zeus).  on this case attackers have injected an iframe on that will redirect users to the obfuscated page with Rig EK.

Fig2_13spin page with the malicious iframe by Symantec

Reg EK will verify the driver files to check if the system have a security software installed in case of presence for an antimalware operation will be interrupted to not make any change on victim machine. if there is no security software the Reg EK exploit will use several vulnerabilities on the web browser and execute banking malwares to turn visitor to be part of the botnet.

Obviously to protect yourself you need to keep your security software enabled with latest definition. having the latest patches for your system including your web browser will prevent the exploit from finding the gap. one more important thing is to use a non administrator account during your navigation and switch to privileged user only when you need to install an application.

Notify of
Inline Feedbacks
View all comments