14 DAY TRIAL // A few days ago we learned that one of the most popular news sites from the Netherlands has been compromised to serve visitors a piece of malware called Sinowal. Trend Micro researchers analyzed the incident and came up with some interesting conclusions.
The experts believe that the fact that the malicious scripts were activated right before lunch time was probably not random, mainly because that’s the time when most users check the news.
The scripts used in the attack were identified as JS_IFRAME.HBA, which in turn led to another one that loaded different exploits.
In this case, the exploit kit was the one called Nuclear Pack, designed to check the affected systems for known vulnerabilities in applications such as Adobe Reader, Java and a number of Windows components.
Exploited successfully, the security holes allowed for the Sinowal Trojan (TROJ_SINOWAL.SMF) to be downloaded and start performing its malicious tasks.
Users who visited the site on March 14 between 11:30 and 12:30 CET can take a look at these Sinowal removal instructions.