Tens of thousands of web sites fall victim to a mass hack attack
Websense, a security services provider, says it has observed mass hack attacks in which criminals embed their own JavaScript on web sites. Apparently, visitors to those sites are diverted to a domain bearing a name such as google-analytics.com, where a server attempts to infect their PCs with exploits for Internet Explorer, Firefox and QuickTime. The server is reportedly located in the Ukraine. Websense says the recognition rate for the malware is still relatively low and, up to now, more than twenty thousand legitimate web sites have been manipulated.
It isn't clear yet how the criminals managed to slip their code into the sites. They probably used SQL injection vulnerabilities in web applications held on the servers, or intercepted FTP access data. Administrators can recognise an infection of their web sites by its heavily obfuscated JavaScript code, an impression of which is given in the original Websense report.
Another group of criminals has been using similar methods since mid-May in an attempt to infect users. They do this by writing hidden JavaScript into HTML pages. These exploits, also known as Gumblar from the name of the domain hosting the malware, then use a trojan to manipulate the results of Google searches displayed in victims' browsers and lead them on to additional dangerous sites. According to reports, Gumblar exploits vulnerabilities in Adobe Reader and Adobe Flash and can independently manipulate other web sites by intercepting FTP access data. ScanSafe is also reporting that tens of thousands of web sites have fallen victim to Gumblar attacks.
See also:
- Mass Injection Compromises More than Twenty-Thousand Web Sites, advisory from Websense security labs.
(crve)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
