HTML:Script-inf infection uses un-patched Microsoft bug to spread
Consumer website of Leading Mobile operator infected by malware
(PRAGUE, Czech Republic, June 28th, 2010) AVAST Software, developer of the award-winning avast! antivirus, released a report today proving wrong the general "feeling" that it is the 'dodgy' and 'adult‘ sites that are virus infected. "We are not recommending people to start searching for erotic content, not at all" says CTO Ondrej Vlcek "but the statistics are clear - for every infected adult domain we identify there are 99 others with perfectly legitimate content that are also infected".
In the UK for example, we see every day more infected domains containing the word "London" (such as the blog section of http://kensington-london-hotels.co.uk/) than any other domain containing the word "sex". The latest discovery of an infected site is the Vodafone UK website. This infection in the smart phones section shows how advanced the bad guys are at finding ways to deliver the malware to the internet users.
The infection of Vodafone, which was confirmed as still present on the morning of Monday 28th of June, 2010, is an HTML:Script-inf and it is an evolution of JS:illRedir and JS:ilIiframe exploits. This type of infection is widespread and accounts for 20% of all infected UK pages. The infection takes advantage of a two week old Microsoft Windows vulnerability. As Ondrej Vlcek explains "The problem is particularly bad because the CVE-2010-1885 vulnerability targets the most widely used version of Windows, and at the present time it is still un-patched. This means that even if a user is running a fully updated Windows XP SP3 with all the security patches, the user is still vulnerable."
The avast! antivirus installed on a Community members computer performs a rigorous scan and examines the behaviour of every visited site for any infection, viruses, or suspicious activity. If this uncovers malware, avast! then shuts off the connection - protecting the user's computer - and sends data to a research team for analyses. This anonymous packet of data includes information on the malware type, visited website, and type of tested application. By combining reports from individual Community members, researchers are able to chart the duration of the infection and the likely number of total visitors.