ScanSafe

Client Login | International Users
Search


Pro-Tibet Websites Harboring Malware-Putting Website visitors at risk in what may be a politically-motivated attack

ScanSafe, the leader in Web Security-as-a-Service, reported it has detected malware on the www.FreeTibet.org and SaveTibet.org websites, two human rights pro-Tibetan websites.  ScanSafe first detected and began blocking the malware at 6:29 am GMT on 7 April.  ScanSafe customers are completely protected from the malware.

ScanSafe immediately alerted these websites and since then SaveTibet.org has resolved the issue and ScanSafe is liaising with FreeTibet.org to clean up the virus. ScanSafe has already blocked the website from 5% of its customer base.

Visitors to the homepages of these sites are exposed to an iFrame that redirects users to a site that hosts a Trojan downloader. A Trojan downloader is a program typically installed through an exploit or some other deceptive means and that facilitates the download and installation of other malware and unwanted software onto a victim's PC. A Trojan Downloader may download adware, spyware or other malware from multiple servers or sources on the internet.

These websites appear to have been specifically targeted as this is not a generic Trojan downloader. Someone or some group has gone to great trouble to rewrite the exploit and personalise it to the FreeTibet.org and SaveTibet.org websites.

ScanSafe threat detection technology isolated these threats as suspicious based on unusual behaviour differentiating the malware from the standard signatures. ScanSafe found an invisible iFrame which re-directs innocent visitors to a malware-infected site which we have tracked to servers hosted in Taiwan. This runs and creates a file ipsec.exe which installs a backdoor user ‘free tibet’ onto that machine and transmits these details back to the controlling website located in Hong Kong. Given the recent events in Tibet and the protests around the forthcoming Olympics and the Olympic Torch Run, there may be certain groups that are particularly keen to monitor or disrupt activities of pro-Tibet interests.

Very few commercial anti-virus technologies are able to detect this threat. ScanSafe has issued an alert warning web surfers that the pro-Tibet sites have been unknowingly hosting malware and infecting visitors by installing malware onto the victim’s PCs.

Given the world’s attention on relations between China and Tibet ahead of the Olympics, it makes sense that these sites would be targeted as web surfers go online to learn more about Tibet and Tibetan independence.  We recommend web surfers take extreme caution and that all websites review their security policies in the light of these latest developments.

Click here to see the video for further information.