Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Lamiabiocasa - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Earlier today, ISC reader Travis noticed that his proxy server was blocking some images from BusinessWeek Business Exchange ( On closer inspection of the blocked content, he found that some files indeed had peculiar contents:

A company from Italy that sells log cabins probably cannot afford to advertise for their services on Businessweek...
The "lamiabiocasa" site is currently not returning any malware (at least not when we tried to investigate). A Google search for the same URL reveals though that plenty other sites are similarly affected, so this IFRAME is obviously part of an injection attack that must have been going on for a while.
On Businessweek, it is their 404 Error page that currently seems to be affected. It returns an "Under Construction" message that includes the nasty iframe.  According to passive DNS, there are currently more than 10'000 DNS domain names pointing to the one IP address that is also used by Lamiabiocasa ( Chances are this ain't good...

385 Posts
ISC Handler
Nov 2nd 2012
Also hosts which has pretty bad rankings/comments on WOT:

Sign Up for Free or Log In to start participating in the conversation!