On September 10, the Web site for the U.S. Consulate General in St. Petersburg, Russia, was broken into and was serving up malicious iFrames, according to Sophos security researchers. After trying to load a malicious iFrame onto victims" systems from a remote server, the iFrame then attempted to silently load even more malware. The site, which has since been cleaned up, was actually only one of 400 compromised sites linking to two distinct malicious attack sites. The U.S. Consulate site was actually linked to both of those attack sites and was thus compromised with two malicious iFrames. One of the attack sites is hosted in the United States, while many of the compromised pages are in Russia.
Malicious script being loaded from the U.S. site tried to exploit several browser vulnerabilities in order to install a Trojan on victims" systems. Sophos says that the increasing use of automation to re-encrypt and obfuscate Trojans points to a need for a system to continuously monitor files in order to keep up with detection. "Automation is clearly being used—many script families are updated several times daily, and some of the notorious malware families are being rebuilt every 1-4 days," SophosLab"s Fraser Howard wrote in an August paper (PDF) titled "Modern Web attacks."