Posted by Virus Bulletin on Jan 14, 2008
New mass infection leaves security researchers puzzled.
Web security company ScanSafe has reported a new mass infection of websites, which it claims accounts for 15% of the web traffic the company blocks. A wide range of sites, mostly operated by small firms based in the UK, were seen to be serving malicious JavaScript to visitors, with numerous stealth and anti-analysis techniques deployed to keep security watchers from discovering the details of the attack.
Legitimate websites, with their steady flow of unsuspecting traffic, are becoming ever more popular targets for hackers, with reports of compromises appearing with alarming frequency. While some hacks are all about the message, with defacements featuring personal boasts as well as more ideological and political messages remaining commonplace, modern cybercriminals are well aware of the potential of cracked websites to subtly introduce their data-stealing and system-hijacking malware onto a wider range of victims' systems. These attacks use hidden iframes or JavaScript implanted into web pages, exploiting vulnerabilities to silently drop backdoors and trojans on the computers of the website's visitors. Only last week we reported how thousands of websites had fallen victim to such an attack.
The latest wave of compromised sites uses several rather unusual techniques. As in many previous examples, a JavaScript file is served by the infected pages, which looks for vulnerabilities in the operating system used and tries to install various pieces of malware. The JavaScript code is stored as usual in a .js file but this file, surprisingly, resides on the hacked server itself, rather than sitting far away on a dedicated malcode server to which traffic is redirected by compromised sites.
To evade harvesting of samples by malware analysts, the name of the .js file appears to be random and, in most cases, the code disappears upon reloading. This not only makes detection of such sites a lot harder, it also leaves security researches puzzled about the method used for the hack, which requires considerably more privileged access to the web servers themselves than the more common redirection method. While most affected websites run on Apache servers, the versions used vary widely, making it unlikely that a specific vulnerability is being exploited.
More can be found at The Register here or at Trend Micro's Malware blog here.
Posted on 14 January 2008 by Virus Bulletin