If you have visited the website of anti-virus company Trend Micro this week there is a chance that your computer has been exposed to malware.
According to reports in the Japanese media, a number of webpages on the firm’s Japanese and English-language website were altered by hackers on Sunday 9 March, who used a malicious iFrame exploit to deliver a Trojan horse onto surfers’ computers.
Trend Micro is believed to have uncovered the problem on Wednesday 12 March and replaced affected pages with a message saying “This page is temporarily shut down for emergency maintenance” as the following image from the www.trendmicro.co.jp shows:
It has not yet been revealed how the webpages on the security website were altered by the hackers, although it is likely a software vulnerability on the site was exploited.
According to information posted on Trend Micro’s website, the following analysis pages were compromised in Trend’s Virus Info section: ADW_BRUNME.A, ADW_ZANGO.A, ADWARE_ADBLASTER, ADWARE_EXACTADVERTISING, ADWARE_EZULA.ILOOKUP, TSPY_AGENT.HS, TSPY_ANICMOO, TSPY_GOLDUN.GEN, TSPY_HUPIGON.ZY, TSPY_Lmir, TSPY_Tiny, ADWARE_BHO_WEBDIR, ADWARE_BHO_WSTART, HKTL_MDBEXP.A, POSSIBLE_OTORUN3, SPYWARE_TRAK_RADMIN, TROJ_ARTIEF-1, TROJ_CLAGGER.D, TSPY_BANKER-2.002, TSPY_BANKRYPT.N, TSPY_GAMANIA.CI,
TSPY_GOLDUN.GEN, TSPY_LINEAGE, TSPY_ONLINEG.DAU, TSPY_ONLINEG.OAX, TSPY_QQPASS, TSPY_SDBOT.BTI, W97M_DLOADER.BKV, WORM_IRCBOT.JK, WORM_NYXEM.E and WORM_SOBER.AG.
Trend Micro reported on its website that web surfers could be infected by the malware, which they named JS_DLOADER.TZE, either by accessing one of the infected webpages or clicking a URL link embedded in the malware’s name.
The anti-virus firm has recommended that visitors to their site check that their computers are not infected. (Please note: At the time of writing we have only found a warning for customers on the Japanese-language version of Trend Micro’s website, although we have confirmed that the English-language version was also infected.) The JavaScript attempted to install further malicious code from the web onto visiting Windows computers.
Sophos detects the malicious software associated with the attack as Mal/Iframe-F, Troj/Drop-I, and the Troj/Portles-E backdoor Trojan horse. Analysts have discovered thousands of other webpages (detected as Troj/Badsrc-A) on other websites that have been infected in the same way.
In a nutshell – what has happened here is a criminal act, and our friends at Trend Micro (and people visiting the hacked pages) are victims of the crime. Sadly it’s not an uncommon crime these days – and all kinds of businesses have suffered.
This isn’t the time or place to make cheap shots against a competitor. The good news is that Trend Micro took the affected webpages down as soon as they discovered there was a problem, and the problem no longer appears to exist.
All other companies with a web presence should take this unfortunate incident as an opportunity to check that their own websites are properly secured , and ensure that they have web-filtering solutions in place.
Sophos discovers a new infected webpage every 14 seconds. In the past we’ve found websites as varied as Wedding Photographers, Antiques firms, Pilates Classes, Ice Cream Manufacturers and even the US Consulate General in St Petersburg who have been the unfortunate victims of a malicious web attack. It seems we now have to add anti-virus companies to that list.
PS. Trend Micro isn’t the first example of a security company’s website being hacked. For instance, in 1999 hackers changed the home page of Symantec – although in that instance the motivation was apparently to cause mischief rather than to spread malware.
