Thenews.com.pk infected with a trojon

Jang group website (thenews.com.pk) is currently infected with a trojon which tries to download a pdf file which contains the exploit.

Here is the virustotal check on the pdf website

http://www.virustotal.com/analisis/6779fd91fd3f3a9aa17e1198af5f599d50bc8e17f0c0abd0232dd67ab02cf1f6-1247467328

The files is being downloaded from a chinese website.

http://updatedate.cn. The code is injected at the bottom of the page. You can take a look at the source code.


If anybody knows in the tech department of jang group please contact them immediately, many people will become infected if this continues.

Regards,

Nasir Ghaznavi

http://www.hostingfest.com

I have already contacted their webmaster but i am not sure if they even read their emails. A phone call is needed.

Nasir Ghaznavi

http://www.hostingfest.com

It is more complex then i thought.

The iframe on thenews.com.pk loads the main page of updatedate.cn website. It is a browser and ip sensing page and modified its output based on which browser you are using. In firefox it even tries to inject code into skype extension if you have that installed. It also tries to download the pdf(which contains another exploit) among other things. Sometimes it does not load anything, maybe after you have visited the site atleast once.

Here is the code injected if you are using firefox.




Nasir Ghaznavi

http://www.hostingfest.com

I called "The News" internet department. The person who picked up the phone first could not find anything and then told me to hold to connect me to someone. That connection never happened even after keeping me on phone for around 15 minutes.

Pakistan at its best.

Nasir Ghaznavi

http://www.hostingfest.com

This now seems to have been fixed, as the exploit code is not there in the page anymore.

At this point in time the site has the exploit again embedded in its code.

[quote=", post:, topic:"]

I called “The News” internet department. The person who picked up the phone first could not find anything and then told me to hold to connect me to someone. That connection never happened even after keeping me on phone for around 15 minutes.

Pakistan at its best.

Nasir Ghaznavi

http://www.hostingfest.com

[/quote]

:lol:

They probably just removed the code, but as long as the security hole is there, the site will keep getting infected over and again.

I fail to understand why web masters do not pay any attention to the user experiences and grievances. They even do not check web sites out of their development machines. :S

I dont want to sound like a broken record, but the page is infected again. It is a high usage site so if anyone have any one working there please get them to fix this completely.

How many people are getting infected, no body knows. But most of them are pakistanis, we do not have so much bandwidth to give to bot networks :)