The ongoing monitoring of this campaign reveals that the group is continuing to expand the campaign, introducing over a hundred new bogus .info domains acting as traffic redirection points to the campaigns hardcoded within the secondary redirection point, in this case radt.info where a new malware variant of Zlob is attempting to install though an ActiveX object. Sample domains targeted within the past 48 hours :
lib.ncsu.edu; fulldownloads.us; cso.ie; dblife.cs.wisc.edu; www-history.mcs.st-andrews.ac.uk; ehawaii.gov; timeanddate.com; boisestate.edu; aoa.gov; gustavus.edu; archive.org; gsbapps.stanford.edu; bushtorrent.com; ccie.com; uvm.edu; thehipp.org; mnsu.edu; camajorityreport.com; medicare.gov; usamriid.army.mil http://ddanchev.blogspot.com/2008/03/more-high-profile-sites-iframe-injected.html Regards -- Dancho Danchev Cyber Threats Analyst/Blogger http://ddanchev.blogspot.com http://windowsecurity.com/Dancho_Danchev _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
