Dutch users served Sinowal for lunch
(Publication) Google search: [1]
| Dutch users served Sinowal for lunch | |
|---|---|
| |
| Botnet | Sinowal |
| Malware | |
| Botnet/malware group | |
| Exploit kits | Blackhole |
| Services | |
| Feature | |
| Distribution vector | |
| Target | |
| Origin | |
| Campaign | |
| Operation/Working group | |
| Vulnerability | |
| CCProtocol | |
| Date | 2012 / March 20 2012 |
| Editor/Conference | TrendMicro |
| Link | http://blog.trendmicro.com/dutch-users-served-sinowal-for-lunch/ (Archive copy) |
| Author | Roland Dela Paz |
| Type | |
Abstract
“ Dutch users were recently targeted in a website compromise that involved a popular news site in the Netherlands, nu.nl. The site was compromised and modified to load a malicious iframe that resulted to visitors’ systems being infected with a SINOWAL variant.
Trend Micro researcher Feike Hacquebord says that considering the different characteristics of this attack, it seems like it was specifically designed to affect Dutch users. Aside from the affected site being one of the most popular sites in their country, the scripts inserted in the website were activated right before lunch time in the Netherlands — a time when Dutch users usually utilize to check the news and other sites while in the office.
According to nu.nl’s released statement, they believe that attackers exploited a vulnerability on the news group’s Content Management Systems (CMS), allowing them to insert 2 scripts — g.js and gs.js — in nu.nl’s subdomain.
Bibtex
@misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2012BFR947,
editor = {TrendMicro},
author = {Roland Dela Paz},
title = {Dutch users served Sinowal for lunch},
date = {20},
month = Mar,
year = {2012},
howpublished = {\url{http://blog.trendmicro.com/dutch-users-served-sinowal-for-lunch/}},
}