FYI...Goal.com serving malware
5.02.2011 - "Goal.com receives 232,116 unique visitors per day according to compete.com, 215,989 according to checksitetraffic.com, and ranks 379 globally on alexa.com. Recently between April 27th to 28th, it was detected by HackAlert to be actively serving malware (drive-by downloads)
. From what we've observed, we believe the attacker has a way into goal.com's system and was only testing during this time. This is our technical report.Summary
A. From what we've collected, parts of goal.com seem to have been compromised allowing the attacker to manipulate content at will. A backdoor may exist to allow the attacker continuous control of goal.com's content.
B. During this time we've observed different malicious scripts injected into goal.com, leading us to believe that this isn't a one-time mass SQL injection attempt. We've also not found the injected content to appear in other websites.
C. The malicious domains include:
1. pxcz .cz .cc, which is neither being flagged by any antivirus blacklist nor by Google SafeBrowsing.
2. opofy7puti .cz .cc, which is neither being flagged by any antivirus blacklist nor by Google SafeBrowsing.
3. justatest .cz .cc, which is neither being flagged by any antivirus blacklist nor by Google SafeBrowsing.
> This further suggests that this is an attack targeted at goal.com
D. Duration was between April 27th to 28th. The attacker seemed to be testing their injections and was picked up by our scanners.
E. Browser exploits used during this "test-drive" included: CVE-2010-1423 (Java), CVE-2010-1885 (MS help center HCP), CVE-2009-0927 (PDF), and CVE-2006-0003 (MS MDAC).
F. The g01pack exploit pack was being used
. It includes a fake admin page which is used as a honeynet for security researchers--to allow the attacker to observe who is studying their malicious domains.
G. The exploit codes were well mutated. We don't mean well "obfuscated," because in addition to obfuscation, the primitive form of the exploit itself has been mutated well so as to avoid detection.
H. Malware served was packed with UPX and modifies setupapi.dll and sfcfiles.dat. When we first submitted it to VirusTotal, 4 out of 41 antivirus vendors were able to flag it.
I. The malware connects to the following domains:
1. testurl .ipq .co:80 (in UK), which again, is neither flagged by any antivirus blacklist nor by Google SafeBrowsing
2. 22.214.171.124 :80 (US), which reverses back to coldgold .co .uk, and which again, isn't blacklisted by any
, including Google SafeBrowsing.
3. banderlog .org, not flagged
by antivirus / Google SafeBrowsing, but has some records on clean-mx.de..."(More detail and screenshots available at the blog.armorize URL above.)