Original URL: http://www.theregister.co.uk/2009/07/01/torrentreactor_breach/
Torrentreactor breach serves potent exploit cocktail
iframe redirection redux
Posted in Malware, 1st July 2009 16:19 GMT
Free whitepaper – Unified Server Configurator
Torrentreactor has long been regarded as one of the top bit torrent search engines, and with the demise of The Pirate Bay (http://www.theregister.co.uk/2009/06/30/pirate_bay_next_stop/), it's likely bigger than ever. Now, it's been breached and is serving a potent cocktail of exploits to people browsing the site, Websense Security Labs says.
Attackers have managed to inject an iframe into the site that scours Torrentreactor visitors' computers from a long list of vulnerable applications, including Adobe's Reader and Shockwave programs and Microsoft's Internet Explorer and Office Snapshot Viewer. When it finds one, it downloads and runs a malicious file.
According to Websense (http://securitylabs.websense.com/content/Alerts/3430.aspx?cmpid=sltw), the malware has an extremely low detection rate (http://www.virustotal.com/analisis/0df0d26cbb793ba612236b9750309b3e545fa5339e4da159062abfe6f326b2b7-1246425266), with just two of 32 anti-virus engines identifying the threat. Once executed, it installs a rootkit on victims' machines.
This isn't the first time that security researchers have reported Torrentreactor is foisting malware on its users. In March 2008, the site suffered a similar iframe attack (http://ddanchev.blogspot.com/2008/03/zdnet-asia-and-torrentreactor-iframe-ed.html), according to Dancho Danchev.
The malicious file in the latest compromise communicates with a server at 78.109.29.116, an IP address that web searches (http://www.google.com/#hl=en&q=78.109.29.116&aq=f&oq=&aqi=&fp=0HaVFWYNOH8) suggest has ties to the Russian Business Network. We'll be steering clear of this site for the time being. ®