Are you a music fan? The cyber criminals bet you are. This is why they now hack more and more music groups fan/official web sites, and inject malicious crimeware. Our Q2 2007 Trend Report shows examples of two of those web sites that were hacked by criminals. The following are examples of two more sites.

Linkin Park and t.A.T.u. are well known music groups. Their Brazilian fan web sites were recently hacked, and an iframe to a malicious script has been injected to their main pages.

Figure 1: Linkin Park Brazilian fan web site with an iframe to a malicious crimeware

Figure 2: t.A.T.u. Brazilian fan web site with an iframe to a malicious crimeware

Both iframes link to a malicious script that was generated by a new crimeware toolkit. The new toolkit is called IcePack.

Figure 3: IcePack toolkit - login page

Figure 4: IcePack toolkit - exploitation rate page

This toolkit is using obfuscated malicious script which exploits 6 different vulnerabilities in:

• MDAC - CVE-2006-0003
• Windows Media Player plug-in for Firefox and Opera - CVE-2006-0005
• WebViewFolderIcon ActiveX - CVE-2006-3730
• VML - CVE-2006-4868
• Winzip FileView ActiveX - CVE-2006-6884
• QuickTime RSTP - CVE-2007-0015

The toolkit also uses evasive attack. By blocking specified countries and multiple instances from the same IP address, it minimizes exposure to security vendors.

According to the toolkit creator, the exploitation rate of this toolkit is ~50% for Russian visitors and ~20% for all of the visitors. He also demands at least 400$ for the toolkit.

Posted by Aviv Raff