Another Massive Embedded Malware Attack

Compared to the previous massive malware embedded attack in Italy that I asessed in June, 2007 which was primarily relying on the fact that a shared hosting provider got hacked into, this one is more interesting to follow because the domains have nothing to do with each other, in fact some are suspected of being generated for blackhat SEO purposes in combination with embedded malware. The rest are legitimate sites. Moreover, the campaign is currently in a cover up stage, but the sites are still serving the IFRAME you can see in the attached screenshot. Currently affected sites where over 90% still have the IFRAME within :

The main campaign IFRAME URL is serving TR/Crypt.XPACK.Gen and using its own nameservers ( and ( which is also hosting;; Deobfuscation leads to ( where we’re redirected to, both URLs try to exploit MDAC ActiveX code execution (CVE-2006-0003) vulnerability. Another exploit URL is also active at this IP – which is Icepack is action.

Related posts:

Leave a Reply

Your email address will not be published. Required fields are marked * E-shop Owner Information

Who is Dancho Danchev?

Focused on delivering daily batches of personally-produced never-ending supply of high-quality and never-published and released before classified and sensitive Intelligence Deliverables.

Latest Products