Web servers being hacked is nothing new and Web administrators continue to maintain their servers in the attempt to prevent this from happening. Well, it might a good time for everyone to audit their servers again because we have confirmed yet again another campaign of IFRAME injection attacks today. Earlier this month, we had a similar mass attack as well, making this a popular theme so far this year.
Earlier today, Dancho Danchev, a security consultant, published a blog about another batch of servers getting injected with malicious code and we have confirmed the attack here at Symantec. IFRAME code has been inserted into Web pages on these servers, leading to rogue security software and codec sites, further leading to downloads of Trojan.Zlob variants and dowloaders. These threats ultimately attempt to install misleading applications onto the compromised computers.
Please avoid the IP addresses below, which are hosting the unwanted files, for the time being. If you're an IT administrator, you will want to temporarily add them to the list of IPs to filter:
In the past we've seen many low-profile sites being targeted with the IFRAME attack, but this time the list of hacked sites include many high-profile sites as well. This is very disturbing because many big corporations often go out of their way to protect themselves, yet get hit like this. A reevaluation of how we secure our IT infrastructure may be in order.