Turkish governmental websites under attack

RSS Feed

Subscribe to this feed

Categories

Tags

Archive

View archive statistics

Calendar

Mo	Tu	We	Th	Fr	Sa	Su
22	23	24	25	26	27	28
1	2	3	4	5	6	7
8	9	10	11	12	13	14
15	16	17	18	19	20	21
22	23	24	25	26	27	28
29	30	31	1	2	3	4

Articles by Author

Recent posts

Hackers use a Facebook hoax to plant Rouge AntimalwareRating: 0 / 0
Johnny Depp fake death notice - fake ActiveX codecRating: 3 / 1
Top 10 Chinese cyber attacksRating: 0 / 0

Blogroll

6/15/2009 4:15:00 PM

Turkish governmental websites under attack

by Bahaa Naamneh

Several Turkish governmental websites have come under web attacks. The following websites have been compromised and obfuscated JavaScripts and IFrame tags have been injected into them:

http://[hidden]isar.meb.gov.tr
http://[hidden]ele.meb.gov.tr
http://[hidden]kale.meb.gov.tr
http://[hidden]lu-gsim.gov.tr
http://[hidden]zigrsh.gov.tr

Each of the IFrame tags leads to a different malicious domain which ends up downloading a variety of Trojans including infostealers, and botnet Trojans.

One of the IFrames leads to a bit interesting malicious script with a 0 detection rate in VirusTotal (We have already added a signature for this script, and it will be available in the next update).

That obfuscated script involves a great deal of HTML tags in the obfuscation routine in such a way it saves data, needed for the de-obfuscation JavaScript routine, into HTML tags.

The script then downloads a Trojan Downloader which once it runs, downloads another FTP accounts stealing Trojan. The latter searches the file system and the registry for multiple FTP clients for saved FTP accounts and sends them to a Chinese domain:
http://f97q.cn/r4/t1.php