Last Updated: 2010-03-04 00:42:21 UTC
by Daniel Wesemann (Version: 1)
We are currently analyzing several reports on sites that contain malicious iframes from google-analitics-dot-net (no, this has nothing to do with the real Google). The iframes redirect to several sub-domains under salefale-dot-com, where a big pile of exploits lurks. All 8 exploits that we identified so far in the end download the same EXE (Virustotal Link). The pretty good coverage that this fresh file already has indicates that many people must have tripped over those malicious iframes today and sent them in to the AV companies.
The image above shows a small section of the malicious iframe as dished out by salefale-dot-com. The code politely checks to see which version of Adobe Acrobat is installed, and then serves up the PDF exploit most digestible to the target at hand - ranging from the old "collab.geticon" to the recent "media.newplayer" vulnerability.
google-analitics-dot-net, by the way, has interesting whois information ... the domain is registered to ??? in the state of Taliban. <sarcasm> Some DNS registrars are obviously doing their utmost to catch bogus domain registrations </sarcasm>.
A special thanks to ISC reader Tom for his detailed report, and to Jan B for spotting this one early on!