Just when you thought you’ve seen the end of hacked cinema’s website (refering to Malaysia’s GSC website), another one surfaces at TGV.com.my just about 3 months later. According to SANS Internet Storm center, this type of SQL injection uses SQL commands to attack the “sysobject” and “syscolumn” in the database and particularly a website that uses Active Server Pages(ASP).
Latest Update: The malicious script has been removed from TGV.com.my. It is safe to visit again.
We advise you NOT to visit “tgv.com.my” at the moment as a malicious script will be executed prompting a drive-by-download of Trojan-Downloader.JS.Agent.cs as reported by Kaspersky Anti-virus 7.0. The malware is not called at the TGV main page but at the movie’s synopsis page and Showtime section. For users using the latest Kaspersky Anti-virus 2009, you will receive a phishing alert as shown below and at the same time detected as Trojan-Downloader.JS.Agent.ccu
Refering to the alert above, Kaspersky blocked a javascript call from hxxp://www.coldwop.com/b.js. Further looking at that specific frame source code, we found more links to different websites hosting the same script. We do not know how great is the destruction made by the malware but as seen from the alert above, it is able to steal passwords, credit card numbers or other confidential data.
hxxp://www.bnradw.com/b.js
hxxp://www.chinabnr.com/b.js
hxxp://www.chkbnr.com/b.js
hxxp://www.chkadw.com/b.js
hxxp://www.chkadw.com/b.js
hxxp://www.coldwop.com/b.js
New Updates(June 26,2008)
hxxp://www.aspssl63.com/b.js
hxxp://www.app52.com/b.js
hxxp://www.base48.com/b.js
hxxp://www.aspssl63.com/b.js
hxxp://www.base48.com/b.js
hxxp://www.appid37.com/b.js
Guess the movie from the source code above!
TGV.com.my blocked by Google
What happen when Google visited TGV.com.my ? (quote from Google SafeBrowsing)
Of the 137 pages we tested on the site over the past 90 days, 68 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 06/29/2008, and the last time suspicious content was found on this site was on 06/29/2008.
Malicious software includes 92 trojan(s), 92 exploit(s), 90 scripting exploit(s). Successful infection resulted in an average of 4 new processes on the target machine.
Malicious software is hosted on 19 domain(s), including heiheinn.cn, qq117cc.cn, supbnr.com.
3 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including qq117cc.cn, aspssl63.com, apps84.com.
More reading “How They Hack Your Website: Overview of Common Techniques”
Apparently Google is still blocking users from accessing TGV.com.my
The style of writing is quite familiar . Have you written guest posts for other blogs?
Beist is the best! His AWP skills are better then markeloffs. If you dont know him, you probably will soon.
Good! Thank you! I always wanted to write in my site something like that. Can I take part of your post to my blog?
GRacias por la informacion, ha sido de gran ayuda, yo me encuentro preocupado por la perdida del cabello.
I need a great place to host my own blog, do you know from a?