As we were working through URLs identified as suspicious due to our GTI technology, one of the URLs that presented itself was an average “.com” site that loaded a php. As we processed this – it was interesting to see that this php actually reached out to download a file that ended with the string — as this “.com” site was very social-network friendly – it would be easy to see how an average user, without web protection in place, would not even realize what was going on.

And what was this *  This was  detected as:

File received on 2010.03.10 19:54:18 (UTC)
Antivirus Version Last Update Result
AntiVir 2010.03.10 TR/Injector.Awi.88
AVG 2010.03.09 I-Worm/Stration.IPY
BitDefender 7.2 2010.03.10 GenPack:Backdoor.SDBot.DGEY
F-Secure 9.0.15370.0 2010.03.10 GenPack:Generic.Malware.SYd!Cdldsp.B424F431
GData 19 2010.03.10 GenPack:Backdoor.SDBot.DGEY
Jiangmin 13.0.900 2010.03.10 Trojan/Buzus.chp
Kaspersky 2010.03.10 Trojan.Win32.Buzus.dmgy
McAfee+Artemis 5916 2010.03.10 Artemis!6B8A163B27CD
McAfee-GW-Edition 6.8.5 2010.03.10 Trojan.Injector.Awi.88
Microsoft 1.5502 2010.03.10 VirTool:Win32/CeeInject.gen!BE
NOD32 4932 2010.03.10 a variant of Win32/Injector.AWI
Prevx 3.0 2010.03.10 High Risk Worm
Sunbelt 5816 2010.03.10 Trojan.Win32.Generic!BT

 By the time I am writing this – it is already being seen with further visibility across McAfee Artemis detection and we are making sure that all of our products protect against this threat.

This server where this was hosted has already been taken off-line – however, this threat, maneuver, and piece of malware will continue to be seen again, and again, and again. In fact, we already have other webservers that are hosting that same attack – along the same lines – and will be continuing to monitor and follow this particular attack.