Another mass attack on websites
Last weekend attackers once again injected a link to malicious JavaScript into hundreds of thousands of websites. The JavaScript redirects visitors to another site that ostensibly contains a video for which the user needs a special codec – but the download is in fact a Trojan of the Zlob family.
According to the Internet Storm Center, most of the contaminated websites contain installations of the phpBB forum. It is not yet clear what vulnerabilities the criminals behind the mass attack exploited. Trend Micro speculates that the sites have poorly configured installations or out of date versions of phpBB that contain security holes. A Google search for the embedded JavaScript currently yields some 200,000 infected websites.
Users who download the "codec" not only get the Zlob Trojan, but also a DNSChanger that sets Windows DNS entries to fake servers which redirect requests for banking sites to the addresses of phishing sites. The phoney codec also downloads additional malicious baggage. Virus scanner detection is patchy. Avast, CA, Gdata, McAfee, NOD32, Panda and Symantec do not yet recognize the virus – more than a third of the virus scanners in the most recent c't virus scanner test.
See also:
- Mass File Injection Attack, Internet Storm Center report
- More of The Same: Another Half Million Web Sites Compromised, Trend Micro security blog entry
(mba)