You are here: ScanSafe Threat Center Threat Alerts Malware Detected on Website of the Syrian Embassy in the UK
Malware Detected on Website of the Syrian Embassy in the UK
On August 12, 2007 the ScanSafe Threat Center reported it had detected malware unknowingly being hosted on the website for the Syrian embassy in the United Kingdom. ScanSafe immediately notified the Syrian embassy. A spokesperson there said they were taking steps to secure the website.
The official website for the Embassy of Syria in the UK (http://www.syrianembassy.co.uk/) contained an obfuscated javascript link hidden in an iFrame to http://m*iron555.org/s/index.php. The second site is hosted by an IP address allocated to a Hong Kong-based server.This second site contained javascript that obfuscates a visual basic program that uses a Microsoft XML exploit.The exploit allows remote code execution.The XML vulnerability being exploited was reported by Microsoft in November 2006 and Microsoft issued a patch for it (see Microsoft Security Bulletin MS06-071 at http://www.microsoft.com/technet/security/bulletin/ms06-071.mspx).
In this instance the exploit was used to download Trojan LdPinch JVR, a password-stealing Trojan that attempts to steal information from an infected computer and send it to the author of the Trojan.
ScanSafe customers have been protected throughout from this and similar web based malware attacks.
Security Status
Geographical Distribution of Malware
Anatomy of an Attack
