Joomla sites misused to deploy malware
The Internet Storm Center reports that a large number of Joomla sites are currently deploying malicious code and infecting visitors with malware; some WordPress sites are also thought to be affected. The German CERT-Bund Computer Emergency Response Team, which is operated by the German Federal Office for Information Security (BSI), has confirmed that similar attacks on and via Joomla servers have also been observed in Germany.
Thomas Hungenberg from CERT-Bund told The H's associates at heise Security that his findings indicate that, for several days, the compromised sites have been exploited to infect computers mainly with fake AV software via an exploit kit. To infect computers, the attackers embed an iFrame into the web sites that points to a Sutra Traffic Distribution System and eventually redirects to an exploit kit. Until recently, URLs ended in
/nighttrend.cgi?8 as described by the ISC, but in the past few hours, other URLs such as
hxxp://kwydcpkq.qhigh.com/gjgdyrzd77.cgi?8 have also been sighted.
/media/system/js/caption.js with new iFrames on a regular basis.
It appears that the criminals have now started to cash in: they are using so-called Traffic redistribution systems that buy and sell web traffic, and bogus anti-virus software that urges users to buy a pro version, to convert the hijacked servers into hard cash. Both approaches are functional and widely used business models in the cyber underworld.
find . -print0 -name \*.js | xargs -0 grep -i iframe
command line instruction. This instruction doesn't cover variants in which the iFrame tag is assembled at a later stage via script code, but none of the infected sites that are known to heise Security include such variants. The injected PHP backdoor can often be found at