Do You Remember When... We Used to Pwn

By Matthew Hines  |  Posted 2009-10-22 Print this article Print

Celebrity sites, at least those using the names and likenesses of celebrities for the sake of drawing in Web surfers, have long been a breeding ground for attacks, with the likes of Pamela Anderson, Paris Hilton and more recently Jessica Biel being used to lure end users into visiting URLs that are primarily used to distribute malware infections.

However, in a new twist, the actual official Web site of at least one rock star is currently being used to attempt to drop badware onto people's computers -- of course without the knowledge of the involved celeb, at least we'd hope not.

Now, I'm not old enough to remember Van Morrison's original heyday, but I've certainly lived through enough classic rock revivals and movie soundtracks to know the difference between "Moondance" and "Brown Eyed Girl." And while Morrison is largely known as a relic of the '60s and '70s, the once-reclusive singer has actually enjoyed something of a recent revival, re-appearing in the pages of Rolling Stone and on local stages while touring in support of his long lost cult hit "Astral Weeks" album.

Well, apparently someone in the crimeware community is either a fan or took note of the recent reprise, and took the liberty of infecting Morrison's official Web site with a variation on a malicious iframe attack.

As first reported on Roger's Information Security Blog and later publicized by researchers at Sophos, Morrison's site is currently hosting code that attempts to add the long-running Mal/iframe-F attack to the singer's page from a remote site when users' browsers download content from the URL.

If users download a PDF file, and likely also an ActiveX control, that asks them to accept, their machines will become infected with the attack, researchers said.

Making the attack even more sophisticated, the threat is delivered via a heavily obfuscated script injected into the page that references an iframe, rather than hosting the iframe infection itself, experts at Sophos reported.

So, what this goes to show is that it isn't just fly-by-night fan sites or corny celebrity URLs set up explicitly for the purpose of spreading malware that are proving dangerous for end users. Even those sites belonging to the real celebrities and their marketing teams are being used when attackers can find a vulnerability they can use to launch their attacks.

It's cool to see Morrison re-asserting his place in the rock and roll world after all these years away from the spotlight, he certainly still seems to have a lot of hardcore fans. Let's just hope that his webmasters can prove as diligent in trying to lock down the iconic singer's home on the Web.

Follow eWeek Security Watch on Twitter at: eWeekSecWatch.

Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to |

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel