Multiple mass attacks on websites
Criminals are currently carrying out numerous mass attacks in order to infect users' PCs with malware. According to blogger Dancho Danchev, one of the goals is to redirect the DNS settings of infected Windows PCs to malicious name servers. The IP addresses point to the Russian Business Network (RBN).
Using this type of pharming attack, the swindlers can make a domain name resolve to any IP address, thereby directing their victims to phishing sites. There is very little a user can do to completely counter this type of attack.
The attackers' trick is to use the caching of search functions used on many websites to achieve a higher Google ranking. It is possible for additional IFrames to be embedded in Google search results, which are loaded into the browser together with the search result. The victim ends up at a site that offers video codecs or anti-spyware, instead of the expected legitimate site. The malicious site hosts the Zlob trojan that manipulates the DNS entries. Initially, sites like ZDnet Asia fell victim to this search function manipulation. Now apparently many other sites are also affected, including web launches of universities and US government offices.
In late January 2008, there was a large-scale attack that exploited the servers of US government offices and universities to distribute malware. The advantage for criminals is clear. These sites usually have a good reputation and an adequate number of repeat users. So even surfing on known and trusted sites is no longer adequate protection. Many antivirus vendors are now implementing additional protective measures against drive-by downloads.
- More High Profile Sites IFRAME Injected, description by Dancho Danchev
- Follow Up To Yesterday’s Mass Hack Attack, McAfee blog entry
- Massive embedded exploit web site attack underway [update], heise Security report