Malware: 20,000 sites hit with drive-by attack code

Hackers have broken into more than 20,000 legitimate Web sites to plant malicious code to be used in drive-by malware attacks.

According to a warning from Websense Security Labs, the sites have been discovered to be injected with malicious JavaScript, obfuscated code that leads to an active exploit site.


The company discovered that the active exploit site uses a name similar to the legitimate Google Analytics domain (google-analytics.com).

This is unrelated to the Gumblar attack, Websense said.

This mass injection attack does not seem related to Gumblar. The location of the injection, as well as the decoded code itself, seem to indicate a new, unrelated, mass injection campaign.

The exploit site has been seeded with several different attacks targeted unpatched software vulnerabilities. The malware that gets loaded on compromised Windows machines is linked to scareware/rogueware (fake security applications).

Malware purveyors have increasingly turned to legitimate Web sites to launch attacks, using SQL injection techniques to compromise and hijack high-traffic sites.

According to data from MessageLabs, about 85 percent of Web sites blocked for hosting malicious content were ‘well-established’ domains that have been around for a year or more.

Most Attacks Come from Legit but Hijacked Sites

Sunday, May 17, 2009 1:10 PM PDT


The number of legitimate Websites being hacked to host malware has hit startling highs in recent days, new figures from MessageLabs have revealed.

Data taken from the days between May 4 and 8 showed that 84.6 percent of Websites blocked by the company for hosting malicious content were 'well-established' domains that have been around for a year or more.

During the same period, 10.2 percent of blocked domains were less than a year old and only 3.1 percent were less than a week old.

At first glance this, this runs counter to the assumption that malicious Websites more commonly exist for only days or hours in some cases, the better to avoid detection and filtering. This is termed "fast-fluxing," cycling websites through a maze of bogus sub-domains.

However, according to MessageLabs, the likely explanation is that a move to genuine domains means that the fast-fluxing has now migrated to use a different part of the domain tree.

"The bad guys will compromise the DNS and add sub-domains," said MessageLabs' Paul Wood. The recent figure represented a high mark, admitted Wood, but still represented a gathering storm.

"People need to be extra vigilant and understand that even sites they know and trust can be compromised through attacks such as SQL injection attacks, while businesses need to ensure they take the necessary precautions to block all the latest malicious sites," said Wood.

"With the ever advancing world of cybercrime, nothing can be taken at face value."

One consequence was that the days of reputation filtering services could be numbered as a primary defense. If the domains were fraudulent sub-domains exploiting legitimate domains, this would be difficult to defend against on such a scale.

In Wood's view the only hope was to embrace hosted services, the business MessageLabs is in. "There are things you can do in the cloud that you simply can't do on your own computer."