ScanSafe

Client Login | International Users
Search


ScanSafe Reports IndiaTimes Website Contains Malware That Exposes Visitors to a Crippling Cocktail of Downloader and Dropper Trojans

On November 8, 2007, the ScanSafe Security Threat Alert Team (STAT) investigated blocks of web pages due to malicious content hosted on the IndiaTimes website (www.indiatimes.com). The popular site contains malware that downloads a crippling mix of dropper and downloaderTrojans, making it a high risk threat. ScanSafe has been working with the IndiaTimes as well as other security vendors to help contain the threat and secure the IndiaTimes website. 

Indiatimes is part of India's largest media and entertainment house, The Times Group. The 168-year old organization is one of the most respected business houses in India, and its brands include The Times of India, the world’s largest broadsheet English daily.  It is a popular site, with an Alexa traffic ranking of 483.

ScanSafe first detected and blocked malware on the site on October 25th.  ScanSafe is still investigating the reach of this attack, but given the popularity of the site and the amount of malware involved, ScanSafe is urging caution.  At the time of filing this Threat Report, the malware was still on the Indiatimes.com site.  There is no indication that IndiaTimes is knowingly serving up malware.

Only certain pages of the Indiatimes.com are infected.  The impacted pages contain a script which points to a remote site containing iframes pointing to two additional sites. One of the sites included cookie scripts and an iframe pointing to a non-active site. The other iframe pointed to an encrypted script which exploits multiple vulnerabilities in an attempt to download malicious software onto susceptible systems of users visiting indiatimes.com.

Multiple vulnerabilities are involved in the attack. The choice of initial vulnerabilities suggests the Metasploit Framework may have been used to carry out the attacks. One of the vulnerabilities is the MDAC vulnerability described in Microsoft Security Bulletin MS06-014

During the course of the investigation, multiple downloads of binaries, additional scripts, and an assortment of cookies, Flash (SWF) files, and images were discovered. The number of download sites was quite large; two of the dropped binaries downloaded additional malware from 18 different IP addresses, accessing each multiple times. Within the first stages of infection, over 400 unique downloads occur.

The installed malware included a cocktail of downloader and dropper Trojans and assorted other binaries. Overall detection among signature-based antivirus vendors is low to moderately low.  ScanSafe’s Outbreak Intelligence (Oi) threat detection technology, which includes proprietary heuristics, was able to successfully detect and block the malware.

Given the nature of the downloaded files, it appears the malware may be intended to create sites used to attack others. ScanSafe continues to analyze the attack and will update this threat alert as necessary.

Analysis of malware:

In light of the large amount of malware involved in this attack and the nature of the attack, investigation into the individual malware is still ongoing.

Severity of threat: 
ScanSafe ranks this as a High Risk threat due to the popularity of the site, the amount of malware involved and the severe resulting infections.

About ScanSafe
ScanSafe is the largest global provider of Web Security-as-a-Service, ensuring a safe and productive Internet environment for businesses. ScanSafe solutions keep viruses and spyware off corporate networks and allow businesses to control and secure the use of the Web and instant messaging. As a fully managed service, ScanSafe's solutions require no hardware, upfront capital costs or maintenance and provide unparalleled real-time threat protection. Powered by its proactive, multilayered Outbreak Intelligence TM threat detection technology, ScanSafe scans more than 7 billion Web requests and blocks 70 million threats each month for customers in over 50 countries. 

With offices in London and San Mateo, California, ScanSafe is privately owned and financed by Benchmark Capital and Scale Venture Partners.  The company received a 2007 CODiE award for Best Software as a Service Solution, the 2007 SC Magazine Europe Award for Best Content Security Solution and was named one of Red Herring’s Top 100 Technology companies. For more information, visit www.scansafe.com.

Report completed by: ScanSafe STAT members Mary Landesman and Steve Poulson