Sunday, May 11, 2008

Mass File Injection - Redirecting to DNSChanger Download

Mike from's team has discovered a mass file injection attack going around injecting the 2 urls below into sites running any version of phpbb forum software


The 2 urls point to a javascript redirect script that automatically redirect visitors to a fake codec download site. These fake codecs are known as DNSChanger. Anyone running phpbb should check out their servers.

At the time of this writing over 400,000 hits are shown in Google when you search for the urls.

If anyone has any information as to how the scripts are being injected or which exploit is being used please contact me at dnelson(shift+2)
Antivirus Version Last Update Result
AntiVir 2008.05.11 DR/Dldr.DNSChanger.Gen
AVG 2008.05.11 DNSChanger.AE
ClamAV 0.92.1 2008.05.11 Trojan.Dropper-6806
F-Secure 6.70.13260.0 2008.05.12
Ikarus T3. 2008.05.12
Kaspersky 2008.05.12
Norman 5.80.02 2008.05.09 Vundo.gen171.dropper
Prevx1 V2 2008.05.12 Cloaked Malware
Sophos 4.29.0 2008.05.11 Troj/Zlobar-Fam
TheHacker 2008.05.11 Trojan/DNSChanger.chg
Webwasher-Gateway 6.6.2 2008.05.11


Highway of Life said...

It’s important to note that currently only phpBB2 installations have been affected. The newest version of phpBB (v3.0.1) has not been affected.
If someone has had their phpBB2 board hacked, they should report it to the Incident Tracker

Domber said...

The way they try to distribute the binaries is pretty well made this time ...
I wrote some summary at:

Thanks for your posting!


Anonymous said...

Who knows where to download XRumer 5.0 Palladium?
Help, please. All recommend this program to effectively advertise on the Internet, this is the best program!