In May, we reported about a website of the Government of India that was compromised and used for serving malicious code. Last week, we detected that another website from the Government of India “iirs-nrsa.gov.in” was compromised by cybercriminals who use it as a malicious code distribution channel. In this case, the criminals injected a script into the website that adds an IFrame to the page. This IFrame redirects the website visitors to malicious content.

In our recent Cybercrime Intelligence report, we described the business side of the Golden Cash botnet. In this blog post, we will provide you with more technical information about the botnet C&C server and the attack lifecycle.

In our previous blog posts we wrote a lot about how malicious code writers utilize different coding techniques to (successfully) evade detection by security products. To give just a few examples: Code obfuscations, evasive techniques, dynamic encryption methods; - the list goes on and on….

Recently we wrote about a crimeware toolkit called “Unique Pack”, which is one of the most popular toolkits ”in the wild” these days. Just like other popular toolkits we reported on in the past, these are highly successful in exploiting end-users PCs when released. However, the effectiveness in exploitation decreases as time passes, since more and more users are patching their PCs.

An India Government web site upsc.gov.in was compromised by cybercriminals. The criminals injected Iframes that directed visitors to malicious content.

Today we announced our recent discovery of a network of 1.9 million infected computers controlled by cybercriminals. This is one of the largest bot networks controlled by a single team of cybercriminals (or cybergang) that we found this year. In this blog post we will provide you with additional details about this network, the malware in use and how the operators are using it to make money – after all, this is the main drive for cybercrime today.

In the past three years we wrote many times about Crimeware toolkits. These toolkits have become the cyber criminals’ tool of choice when conducting crime online. Starting from the moment we spotted the first crimeware toolkit – the WebAttacker – we have since seen hundreds of them all over the web, also today.

Recently we reported on a high ranking Japanese website which was compromised by cyber criminals. This time we discovered an even a higher ranked site that was compromised- Livedoor.jp. This popular web portal is owned by a Japanese ISP and has an Alexa ranking of 6 in Japan, and 70 worldwide.

Since December 2008, the security community has reported on 3 zero-day attacks. We at Finjan are pleased to announce that our brand new unified Secure Web Gateway, utilizing our patented active real-time content inspection technology, prevents all 3 attacks proactively – without the need for a product update.

We at Finjan always claim that malware has no boundaries, and national borders won’t prevent cybercriminals from infecting websites with their malware. To demonstrate, let us take a closer look at the following site which is ranked 41 in Japan (!) and 382 worldwide, according to Alexa: yaplog.jp

As with the case of the IE7 zero-day exploit (CVE-2008-4844) that was disclosed in December 2008, Finjan’s active real-time content inspection technology also prevents attempts to exploit the recently patched IE7 vulnerability (MS09-002, CVE-2009-0075) without any product update – this is what we call Proactive Web Security.

A popular flash game site (flashgamesite.com) with Alexa traffic rank of 15,610 was recently compromised. Our research indicates that cybercriminals added malicious IFrame to the page redirecting the page to http://[--REMOVED--]/in.cgi?10

As most of you probably know, in order to upload your web site to the internet you don’t have to sign a contract, supply your personal details or pay for the service - you can simply search for free web hosting. The search will result in lots of options that will offer you everything you need in order to publish your website online, sometimes with an advertisement added by the service provider.

At least two popular web browsers are using Google Safe Browsing to warn users about phishing sites and other malwares: Firefox and Chrome. Cybercriminals seems to be aware of the fact that users are getting the following warning screens from these browsers and thus avoid visiting the malicious site