Figure 1. Screenshot of code found inserted into the Indian Embassy website

The experts at TrendLabs also indicated that the embassy website wasn’t the only one injected with the codes, pointing to the possibility of a massive and global code injection attack. The set of injected codes was also reported to change from time to time.

Trend Micro Antivirus experts had also revealed that there was an inserted code in the compromised websites that injected pages that look like blog entries into the compromised sites’ domain.

Experts suggested that this was possibly an SEO poisoning scheme, or a plot to use the legitimate domains of the compromised websites to evade spam filters.

Figure 2. Inserted pharma blog entries in one of the compromised websites

Further probe into the source suggested that this was possibly an advertisement scam or a massive malware attack in its early stage. This would also explain why parts of this threat do not appear to be fully functional. He warns, though, that since the website was already compromised, it’s just a matter of modifying the tags to turn the seemingly “non-malicious” injection of code into a full-blown malware attack.

Amit Nath, country manager, Trend Micro India, said “In 2007, similar incidents had been found on Italian websites. Online criminals had launched a widespread web attack that had turned tens of thousands of legitimate web sites into weapons and almost all the websites that sourced the malware were from Italy.

In such a case, users should ensure that their softwares are fully updated and patched, as hackers are relying on users running exploitable programs to gain entry into their systems.”