"Nine-Ball" mass injection attack compromised 40,000 sitesA new threat dubbed dub 1 tr.v. dubbed, dub·bing, dubs 1. To tap lightly on the shoulder by way of conferring knighthood. 2. To honor with a new title or description. 3. “Nine-Ball” has compromised up to 40,000 legitimate websites, which are, in turn, infecting users with an information-stealing trojan, according to according to prep. 1. As stated or indicated by; on the authority of: according to historians. 2. In keeping with: according to instructions. 3. security vendor Websense. The attack is called “Nine-Ball” because of the name of the final, malicious landing page, which is loaded with drive-by exploits, that unsuspecting users automatically are redirected to if they visit one of the compromised sites. Ninetoraq.in, the exploit site, contains malicious code that looks for already patched vulnerabilities in Acrobat Reader The former name of Adobe Reader. See PDF. , QuickTime, Microsoft Data Access Components (database) Microsoft Data Access Components - (MDAC) Microsoft's umbrella term for their ActiveX Data Objects (ADO), OLE DB, and Open Database Connectivity (ODBC) libraries. Together, these provide access to a variety of data sources, both relational (SQL) and nonrelational. (MDAC (Microsoft Data Access Components) A package of database drivers from Microsoft for connecting client PCs to the databases in servers. MDAC is periodically updated to reflect changes in ADO, OLE DB and ODBC and is a required installation in developers' and many ) and AOL (A division of Time Warner, Inc., New York, NY, www.aol.com) The world's largest online information service with access to the Internet, e-mail, chat rooms and a variety of databases and services. SuperBuddy, which it then attempts to exploit, Stephan Chenette, manager of security research at Websense, told SCMagazineUS.com on Wednesday. The flaws have all been patched; some date back to 2006, Chenette said. But, the Reader and QuickTime vulnerabilities are newer, making it less likely that users are patched for them. If the malicious code finds an unpatched vulnerability to exploit, it either drops a malicious PDF file See PDF. or a trojan designed to steal user information, Chanette said. All of the exploits currently have low detection rates, he added. The 40,000 legit le·git adj. Slang Legitimate. but compromised websites were “sleeping” up until Monday, Chanette said. Before then, if a user visited one of them, they were redirected to Ask.com. On Monday, though, the attack updated and users started being redirected to the ninetoraq malicious site. Currently, users who visit one of the compromised sites are first sent through a chain of redirections before landing on the final exploit site ninetoraq. Though users simply see the normal content on the infected page, the redirections would occur in the background without their knowledge -- so a user would not see that they are on the ninetoraq site. By sending users through numerous redirections, it makes the job of tracking the attackers more difficult, Chanette said. During the redirections, a visitor's IP address is recorded. If the IP address is determined to be new, the user is directed to the exploit payload (1) Refers to the "actual data" in a packet or file minus all headers attached for transport and minus all descriptive meta-data. In a network packet, headers are appended to the payload for transport and then discarded at their destination. site. But if the user's IP address has already been recorded, they are directed from the compromised site to the benign site Ask.com -- which they would see happen, Chanette said. The reason attackers have included this feature could be to evade e·vade v. e·vad·ed, e·vad·ing, e·vades v.tr. 1. To escape or avoid by cleverness or deceit: evade arrest. 2. a. security companies who are probing the infected sites and attempting to analyze the attack -- one might assume the attack no longer works, because they are being directed to a benign site. Websense researchers determined that the compromised sites are not running a common piece of software, which means the sites have been injected with malicious code via stolen credentials that have been previously obtained. Getting rid of the problem requires multiple steps, Chanette said. Website owners must look at their site's source code for obfuscated or scrambled code. Then they need to change the credentials to all accounts that can access that website. Chanette said that none of the 40,000 infected sites for this particular attack are well-known brands. “Attackers are going after quantity and not quality,” Chanette said. “If they go after big name websites, they are shut down faster.” Over the past several months, there have been similar mass-injection attack waves like this every few weeks, Neil Daswani, co-founders of web anti-malware vendor Dasient, told SCMagazineUS.com Wednesday. A similar threat, called Gumblar, made headlines recently for compromising approximately 60,000 legitimate websites. In addition, another mass-injection attack, Beladen, was said to have infected 40,000 websites. Daswani said that in the past two years there has been a 600 percent increase in the number of trusted websites being used as malware (MALicious softWARE) Software designed to destroy, aggravate and otherwise make life unhappy. See crimeware, virus, worm, logic bomb, macro virus and Trojan. distribution points. Compromised websites face a number of consequences, including being blacklisted by search engines, which typically causes a significant drop in traffic. “Once they clean up, the challenge is to try and get back traffic,” Daswani said. “From businesses we have spoken to, once they clean up, it's very hard to get back to [the former] traffic level because there's a loss of consumer confidence.” 
|
|
||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion