Hundreds of legitimate websites being hacked into

Posted by   Virus Bulletin on   Jan 14, 2008

New mass infection leaves security researchers puzzled.

Web security company ScanSafe has reported a new mass infection of websites, which it claims accounts for 15% of the web traffic the company blocks. A wide range of sites, mostly operated by small firms based in the UK, were seen to be serving malicious JavaScript to visitors, with numerous stealth and anti-analysis techniques deployed to keep security watchers from discovering the details of the attack.

Legitimate websites, with their steady flow of unsuspecting traffic, are becoming ever more popular targets for hackers, with reports of compromises appearing with alarming frequency. While some hacks are all about the message, with defacements featuring personal boasts as well as more ideological and political messages remaining commonplace, modern cybercriminals are well aware of the potential of cracked websites to subtly introduce their data-stealing and system-hijacking malware onto a wider range of victims' systems. These attacks use hidden iframes or JavaScript implanted into web pages, exploiting vulnerabilities to silently drop backdoors and trojans on the computers of the website's visitors. Only last week we reported how thousands of websites had fallen victim to such an attack.

The latest wave of compromised sites uses several rather unusual techniques. As in many previous examples, a JavaScript file is served by the infected pages, which looks for vulnerabilities in the operating system used and tries to install various pieces of malware. The JavaScript code is stored as usual in a .js file but this file, surprisingly, resides on the hacked server itself, rather than sitting far away on a dedicated malcode server to which traffic is redirected by compromised sites.

To evade harvesting of samples by malware analysts, the name of the .js file appears to be random and, in most cases, the code disappears upon reloading. This not only makes detection of such sites a lot harder, it also leaves security researches puzzled about the method used for the hack, which requires considerably more privileged access to the web servers themselves than the more common redirection method. While most affected websites run on Apache servers, the versions used vary widely, making it unlikely that a specific vulnerability is being exploited.

More can be found at The Register here or at Trend Micro's Malware blog here.

Posted on 14 January 2008 by Virus Bulletin



Latest posts:

In memoriam: Prof. Ross Anderson

We were very sorry to learn of the passing of Professor Ross Anderson a few days ago.

In memoriam: Dr Alan Solomon

We were very sorry to learn of the passing of industry pioneer Dr Alan Solomon earlier this week.

New paper: Nexus Android banking botnet – compromising C&C panels and dissecting mobile AppInjects

In a new paper, researchers Aditya K Sood and Rohit Bansal provide details of a security vulnerability in the Nexus Android botnet C&C panel that was exploited in order to gather threat intelligence, and present a model of mobile AppInjects.

New paper: Collector-stealer: a Russian origin credential and information extractor

In a new paper, F5 researchers Aditya K Sood and Rohit Chaturvedi present a 360 analysis of Collector-stealer, a Russian-origin credential and information extractor.

VB2021 localhost videos available on YouTube

VB has made all VB2021 localhost presentations available on the VB YouTube channel, so you can now watch - and share - any part of the conference freely and without registration.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.