Original URL: http://www.theregister.co.uk/2009/07/01/torrentreactor_breach/
Torrentreactor breach serves potent exploit cocktail
iframe redirection redux
Posted in Security, 1st July 2009 16:19 GMT
Watch Now : Virtual Machine Movement with Hyper-V
Torrentreactor has long been regarded as one of the top bit torrent search engines, and with the demise of The Pirate Bay [1], it's likely bigger than ever. Now, it's been breached and is serving a potent cocktail of exploits to people browsing the site, Websense Security Labs says.
Attackers have managed to inject an iframe into the site that scours Torrentreactor visitors' computers from a long list of vulnerable applications, including Adobe's Reader and Shockwave programs and Microsoft's Internet Explorer and Office Snapshot Viewer. When it finds one, it downloads and runs a malicious file.
According to Websense [2], the malware has an extremely low detection rate [3], with just two of 32 anti-virus engines identifying the threat. Once executed, it installs a rootkit on victims' machines.
This isn't the first time that security researchers have reported Torrentreactor is foisting malware on its users. In March 2008, the site suffered a similar iframe attack [4], according to Dancho Danchev.
The malicious file in the latest compromise communicates with a server at 78.109.29.116, an IP address that web searches [5] suggest has ties to the Russian Business Network. We'll be steering clear of this site for the time being. ®
Links
- http://www.theregister.co.uk/2009/06/30/pirate_bay_next_stop/
- http://securitylabs.websense.com/content/Alerts/3430.aspx?cmpid=sltw
- http://www.virustotal.com/analisis/0df0d26cbb793ba612236b9750309b3e545fa5339e4da159062abfe6f326b2b7-1246425266
- http://ddanchev.blogspot.com/2008/03/zdnet-asia-and-torrentreactor-iframe-ed.html
- http://www.google.com/#hl=en&q=78.109.29.116&aq=f&oq=&aqi=&fp=0HaVFWYNOH8