ScanSafe STAT has been investigating some OI blocks from certain pages on the IndiaTimes website (www.indiatimes.com). The IndiaTimes site is pretty huge - part of India's largest media and entertainment house, The Times Group. Alexa gives the site a traffic ranking of 483.

ScanSafe first started blocking the pages on October 25th. But we scan over 7 billion web requests a month, with about 70 million of those resulting in blocks each month, so while our customers were protected, the threat didn't bubble up on our radar for a few days. In any event, the impacted pages contain a script which points to a remote site containing more iframes pointing to two additional sites. One of the sites included cookie scripts and an iframe pointing to a non-active site. The other iframe pointed to an encrypted script which exploits multiple vulnerabilities. The choice of initial vulnerabilities suggests the Metasploit Framework may have been used to carry out the attacks. Successful exploit results in a massive download of malware and assorted other files. We counted 434 before we finally pulled the plug (figuratively and literally speaking).

The installed malware included a cocktail of downloader and dropper Trojans, assorted other malicious binaries, and large amounts of scripts, cookies, and other non-binaries. We ran some of the binaries through VirusTotal and looks like overall detection among signature-based antivirus vendors is low. Given the nature of the downloaded files, it appears the malware may be intended to create sites used to attack others or that there may be some malicious peer-to-peer or other filesharing/communication purpose. ScanSafe continues to analyze the attack and we'll update the blog and our Threat Alert Center with those findings.

Edited to add: Btw, we notified the India Times folks via email and by phone on Thursday. (Do you have any idea how late you have to stay up in the U.S. if you want to talk to someone in India?!). Unfortunately, the person we spoke with indicated that it was a holiday in India and they would be unlikely to fix the problem until Monday. They declined to provide us with another contact or to escalate our concerns. As a result, we felt compelled to contact the media. Because while ScanSafe customers were protected, we realize not everyone is that lucky. With low detection from antivirus vendors, we wanted to get the word out. Thankfully, both InformationWeek and The Register shared our concern.