Reputable sites infected by viruses

Reading Time: 2 minutes

I can’t remember getting spam from a suburban motor vehicle dealer, at least not from one based in Dubai (I am in Australia). Western Auto LLC part of the Western Group wants to sell me Chinese-made Foton brand 3 Ton Pickups with free insurance and registration.

The sender used the IP address 91.73.188.181, which is allocated to Emirates Integrated Telecommunications Company in Dubai, probably their ISP. So it’s a genuine email probably sent from their office. A sentence in the spam email caught my eye:

Western Auto LLC is part of the renowned ETA Ascon group (www.etaascon.com) of companies, a diversified conglomerate, belonging to the Al Ghurair group of Dubai.

ETA Ascon

I have removed the link for the above site but when I clicked it to check out the parent company, Norton Internet Security 2009 flashed a warning. (See image on the right)

65 pages on the ETA Star Group site are infected! An example of a problem page is:

Threat Name: Downloader
Location: http://www.etaascon.com/ascon/article_display.asp?cat_id=92&sub_cat_id=153&art_id=155

The link “Downloader” above tells us that this is a “low-risk” threat because it merely “connects to the Internet and downloads other Trojan horses or components.” I did not explore the site but it is troubling that a corporate site has been infected in this manner.

While searching for this site in Google, the results page displays the same warning symbol next to ETA Star Group and also further down the page next to Business.Maktoob.com (do not go there). The latter has only six infected pages but they are more ominous:

I decided to explore other sites in Google and Norton Internet Security found a few infections:

  • Dubaicityguide.com – 1 drive-by download
  • Drypen.in – 4 drive-by downloads
  • Visakha.in – 3 drive-by downloads
  • Syscontech.in – 3 drive-by downloads (also marked “This site may harm your computer”)
  • YRU.ac.th – 1 phishing attack
  • Dopa.go.th – 1 W97M.Babals virus (also marked “This site may harm your computer”)

I noticed that some of the above sites run the Windows operating system, so it would be easy to infect the web server compared to a Java or PHP based web server. I used the site: operator in Google to sample random TLDs, e.g. site:.th for Thai sites.

Intrigued, I checked out the Western hemisphere and found fewer infected sites:

  • WDR.de – 1 Bloodhound.Exploit.105 virus
  • Smart60.ru – 4 HTTP Malicious Toolkit Variant Activity
  • DSE.nl – 1 Trojan Horse

A curiouser exception at the USA DOJ is:

  • National Criminal Justice Reference Service – 1 virus in a PDF document

Possibly some of the above assessments by Norton Internet Security 2009 are false positives, but it appears that the viruses and other nasty infections have no respect for nationalities or size of organisations. I should point out that these random checks revealed just one or two sites for every 100-200 search results, so there isn’t an epidemic out there. I am thankful for the software alert that stopped me from checking out the company behind the spam email that started this post.

I will write a review of Norton Internet Security 2009 soon.

Mastodon