Naavi.org reported on Jule 19th about
the Deccan Herald (A popular news paper in Karnataka, India) website being
classified as an "Attack Site" by Google. Despite this publication and
having been aware, Deccan Herald has not yet secured their site and the
site continues to be tagged an attack site by Google till date.
Kasparesky anti virus identified the
cause as a script running on the page. This script appears to run not only
on the home page but also on several other pages of the site.
On the home page, the source code
source code here) is hosted on the image file
"ys-myslake-july8.jpg" . The script itself is called from three sites
crtbond.com, ausadd.com and destbnp.com and named ngg.js.
The said image file contains
a beautiful photograph of "kukkarahalli lake" posted by an amateur
photographer at the invitation of the web master in the "Your Space"
This "Your space"
photographs also appear in the city page and netmail page and may be in all
other pages. The script therefore runs on all these pages.
According to Google, "Of the
454 pages we tested on the site over the past 90 days, 108 page(s) resulted
in malicious software being downloaded and installed without user consent."
Google also reported that
"Malicious software includes
119 scripting exploit(s). Successful infection resulted in an average of 2
new processes on the target machine. Malicious software is hosted on 48
crtbond.com. 6 domain(s) appear to be functioning as intermediaries for
distributing malware to visitors of this site, including
This information is now
being sent again to Deccan Herald for taking remedial action so that
visitors to this site would not be penalized with the download of the
malicious codes. Hopefully they would act at least this time.
In the meantime, we take
this opportunity to highlight the necessity for all public websites to
monitor such events and take necessary action as otherwise they would be
liable under Section 43 (C) of ITA 2000 for paying compensation to each of
the visitors who suffer damages on account of the malicious code.
July 11, 2008