Malware: 20,000 sites hit with drive-by attack code

Reply Mon 1 Jun, 2009 02:13 pm

Hackers have broken into more than 20,000 legitimate Web sites to plant malicious code to be used in drive-by malware attacks.

According to a warning from Websense Security Labs, the sites have been discovered to be injected with malicious JavaScript, obfuscated code that leads to an active exploit site.

The company discovered that the active exploit site uses a name similar to the legitimate Google Analytics domain (google-analytics.com).

This is unrelated to the Gumblar attack, Websense said.

This mass injection attack does not seem related to Gumblar. The location of the injection, as well as the decoded code itself, seem to indicate a new, unrelated, mass injection campaign.

The exploit site has been seeded with several different attacks targeted unpatched software vulnerabilities. The malware that gets loaded on compromised Windows machines is linked to scareware/rogueware (fake security applications).

Malware purveyors have increasingly turned to legitimate Web sites to launch attacks, using SQL injection techniques to compromise and hijack high-traffic sites.

According to data from MessageLabs, about 85 percent of Web sites blocked for hosting malicious content were ‘well-established’ domains that have been around for a year or more.

I wonder if this is also a clue to why I can't view videos on A2K (see my topic about this elsewhere).

Other, related articles:

This site has a screenshot of the injected code if any site owners need it:



Most Attacks Come from Legit but Hijacked Sites

Sunday, May 17, 2009 1:10 PM PDT

The number of legitimate Websites being hacked to host malware has hit startling highs in recent days, new figures from MessageLabs have revealed.

Data taken from the days between May 4 and 8 showed that 84.6 percent of Websites blocked by the company for hosting malicious content were 'well-established' domains that have been around for a year or more.

During the same period, 10.2 percent of blocked domains were less than a year old and only 3.1 percent were less than a week old.

At first glance this, this runs counter to the assumption that malicious Websites more commonly exist for only days or hours in some cases, the better to avoid detection and filtering. This is termed "fast-fluxing," cycling websites through a maze of bogus sub-domains.

However, according to MessageLabs, the likely explanation is that a move to genuine domains means that the fast-fluxing has now migrated to use a different part of the domain tree.

"The bad guys will compromise the DNS and add sub-domains," said MessageLabs' Paul Wood. The recent figure represented a high mark, admitted Wood, but still represented a gathering storm.

"People need to be extra vigilant and understand that even sites they know and trust can be compromised through attacks such as SQL injection attacks, while businesses need to ensure they take the necessary precautions to block all the latest malicious sites," said Wood.

"With the ever advancing world of cybercrime, nothing can be taken at face value."

One consequence was that the days of reputation filtering services could be numbered as a primary defense. If the domains were fraudulent sub-domains exploiting legitimate domains, this would be difficult to defend against on such a scale.

In Wood's view the only hope was to embrace hosted services, the business MessageLabs is in. "There are things you can do in the cloud that you simply can't do on your own computer."
  • Topic Stats
  • Top Replies
  • Link to this Topic
Type: Discussion • Score: 0 • Views: 2,136 • Replies: 1
No top replies

Reply Mon 1 Jun, 2009 03:43 pm
Don't know if this is related or not, but three times today I have encountered a survey pop-up while navigating around A2K. I have several pop-up blocker software utilities and it is getting through the blocks.

I took a screenshot of the one that just occurred and am posting it in case it offers some needed data:

0 Replies

Related Topics

So I just joined Facebook.... - Discussion by DrewDad
YouTube Is Doomed - Discussion by Shapeless
Internet disinformation overload - Discussion by rosborne979
Participatory Democracy Online - Discussion by wandeljw
OpenDNS and net neutrality - Question by Butrflynet
Internet Explorer 8? - Question by Pitter
  1. Forums
  2. » Malware: 20,000 sites hit with drive-by attack code
Copyright © 2023 MadLab, LLC :: Terms of Service :: Privacy Policy :: Page generated in 0.04 seconds on 03/20/2023 at 10:45:20