In association with heise online

13 May 2008, 16:58

Another mass attack on websites

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Last weekend attackers once again injected a link to malicious JavaScript into hundreds of thousands of websites. The JavaScript redirects visitors to another site that ostensibly contains a video for which the user needs a special codec – but the download is in fact a Trojan of the Zlob family.

According to the Internet Storm Center, most of the contaminated websites contain installations of the phpBB forum. It is not yet clear what vulnerabilities the criminals behind the mass attack exploited. Trend Micro speculates that the sites have poorly configured installations or out of date versions of phpBB that contain security holes. A Google search for the embedded JavaScript currently yields some 200,000 infected websites.

Users who download the "codec" not only get the Zlob Trojan, but also a DNSChanger that sets Windows DNS entries to fake servers which redirect requests for banking sites to the addresses of phishing sites. The phoney codec also downloads additional malicious baggage. Virus scanner detection is patchy. Avast, CA, Gdata, McAfee, NOD32, Panda and Symantec do not yet recognize the virus – more than a third of the virus scanners in the most recent c't virus scanner test.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit