Hundreds of legitimate websites being hacked into

New mass infection leaves security researchers puzzled.

Web security company ScanSafe has reported a new mass infection of websites, which it claims accounts for 15% of the web traffic the company blocks. A wide range of sites, mostly operated by small firms based in the UK, were seen to be serving malicious JavaScript to visitors, with numerous stealth and anti-analysis techniques deployed to keep security watchers from discovering the details of the attack.

Legitimate websites, with their steady flow of unsuspecting traffic, are becoming ever more popular targets for hackers, with reports of compromises appearing with alarming frequency. While some hacks are all about the message, with defacements featuring personal boasts as well as more ideological and political messages remaining commonplace, modern cybercriminals are well aware of the potential of cracked websites to subtly introduce their data-stealing and system-hijacking malware onto a wider range of victims' systems. These attacks use hidden iframes or JavaScript implanted into web pages, exploiting vulnerabilities to silently drop backdoors and trojans on the computers of the website's visitors. Only last week we reported how thousands of websites had fallen victim to such an attack.

The latest wave of compromised sites uses several rather unusual techniques. As in many previous examples, a JavaScript file is served by the infected pages, which looks for vulnerabilities in the operating system used and tries to install various pieces of malware. The JavaScript code is stored as usual in a .js file but this file, surprisingly, resides on the hacked server itself, rather than sitting far away on a dedicated malcode server to which traffic is redirected by compromised sites.

To evade harvesting of samples by malware analysts, the name of the .js file appears to be random and, in most cases, the code disappears upon reloading. This not only makes detection of such sites a lot harder, it also leaves security researches puzzled about the method used for the hack, which requires considerably more privileged access to the web servers themselves than the more common redirection method. While most affected websites run on Apache servers, the versions used vary widely, making it unlikely that a specific vulnerability is being exploited.

More can be found at The Register here or at Trend Micro's Malware blog here.

14 January 2008

Tags: backdoor, hacking, javascript, trojan.

del.icio.us

digg this

News


	February issue of VB published The February issue of Virus Bulletin is now available for subscribers to download. 1 February 2012 Hacktivists hijack DNS of popular websites Security at registrars may be weak link. 26 January 2012 New RFC describes best practices for running DNS-based lists DNSBL users advised to avoid those lists that charge for delisting. 24 January 2012 Vulnerability turns McAfee's anti-malware solution into open relay Flaw allows for spam to be sent through customers' PCs. 19 January 2012 AV-Test releases latest results Business and consumer products achieve high pass rate. 18 January 2012 Subscribe \| View All virusbtn: Collaboration among malware authors has made Citadel trojan mature quickly http://t.co/4p2JFbmU 3 hours ago virusbtn: Waledac/Kelihos botnet now used to send out Russian political spam http://t.co/jnAsQCGT 3 hours ago Follow us

News Archive


	2011 2010 2009 2008 2008 2007 2006 2005 2004 2003 2002 Subscribe \| View All

News


	See also Calendar of Events Polls

Quick Links

Poll

The Japanese government is reported to have commissioned a 'defensive virus'. Is 'defensive' malware ever a good idea?
Leave a comment
View 11 comments

Malware Prevalence

Autorun
Encrypted/Obfuscated
Heuristic/generic
Sality
Zbot

View this month's full report

Virus Bulletin currently has 224,223 registered users.

Fighting malware and spam

Hundreds of legitimate websites being hacked into