We recently came across an Indian holiday booking site which appears to be serving up a copy of an old malware. Shown below is the screen shot of the site in discussion:
A quick look at the source code for the page shows an encoded binary file embedded in a VBScript:
Visiting this site with a poorly configured Internet Explorer browser will lead to the above script being rendered. The encoded file in turn is decoded and a malicious file named svchost.exe is dropped onto the user’s computer and is executed.
The malicious executable is an infamous file infector named Win32.Ramnet and detection for this executable has been around for more than a year now. This seems to suggest that the machine hosting the website has either little or no security solution in place.
With the holiday season in full swing, online shoppers are requested not to let their guard down. While you may be on holiday, the miscreants aren’t.
K7 Security products don’t just detect and delete the malicious file, but also prevent access to the hacked site:
If you wish to subscribe to our blog, please add the URL provided below to your blog reader: