Share
Trend Micro and an entire host of other legit sites, are all falling victim to a recent form of attack that aims to steal website credentials and gaming passwords. The common link on the attacks is two fold, they are all taking advantage of embedded malicious links and they are all linking to the same site, registered and hosted in China.
Trend Micro and an entire host of other legit sites, are all falling victim to a recent form of attack that aims to steal website credentials and gaming passwords. The common link on the attacks is two fold, they are all taking advantage of embedded malicious links and they are all linking to the same site, registered and hosted in China.(IMG: J.Anderson)
All throughout the month of March, there has been an increase in the number of injection attacks on legitimate websites. IFrame injections, Java Script injections, each one designed to download malicious software in the background with no action required on the part of the end user. The stealth attacks target vulnerable applications such as Microsoft Office, RealPlayer, QuickTime, ActiveX, and other operating system flaws.
Earlier this month, McAfee noticed ten thousand sites affected with Malware being served up from an IFrame. The massive assault was hailed by McAfee as one of the largest that they have seen to date. Fast forward, only a few days, add another attack vector and different targets, and the number climbs from ten thousand to over twenty-nine thousand.(Edit: Twenty-nine thousand as of 3/16/2008 4:30 PM EST)
Using Google, search for the following with the added quotes:"script src=http://www.2117966.net/fuckjp.js"
This is the recent vector of attack, the Java Script is embedded in the site which leads to 2117966.net and attempts to install Malware. There are twenty-nine thousand sites that are listed in Google, and a skimming of the results shows all of them legit. There appears to be little in the way of pattern, simply just a desire to spread the malicious code to as many sites as possible.
Systems that are successfully compromised because of the embedded attacks will begin sending traffic to 61.188.39.175. Along with 2117966.net, both source locations come from China. To make matters worse, AV vendor Trend Micro was also victim to the injection attacks.
Last Friday, Trend Micro confirmed they were victim to a massive attack on their Virus Encyclopedia.
“Earlier this week, we realized that part of our public online Virus Encyclopedia (VE) was altered via external hacking. The redirect placed on our site didn’t work properly so nobody visiting the hacked pages was at risk of infection. In response to this incident, we shut down the VE for several hours, patched the systems, removed the inserted code, and brought it back to life again. We have already taken interim measures to further harden the VE system against future attacks. This incident was part of a wider attack on Web sites around the world,” Trend Micro said in a statement.
The attacks are believed to come from several angles, from SQL Injection to embed the code, flaws in the website caching, to outright breaking and entering using compromised FTP servers from the recent list discovered online.
Mitigation is a hard area to cover, remember there is no proof or information as to exactly how these injection attacks are taking place. SANS recommends:
Blocking 2117966.net (Why not block all CN domains and IP ranges anyway?)Inspecting proxy logs for visitors to 2117966.netChecking for anyone who was directed to 61.188.39.175
For the end user, avoiding a browser that uses ActiveX will prevent most of the exploits. Also, using NoScript on Firefox is a solid step in keeping your system clean. If you have to use ActiveX (Internet Explorer), then limit its access by forcing it to ask permission each time it takes any action.
Update:The second wave of attack, involving the embedded JavaScript code targeted ASP pages only and no PHP pages.
In the first wave of attacks, and parts of the second the SEO methods were attacked. The sites serving the malicious code were in no way compromised.
"Basically, whenever the malicious attacker is feeding the search engine with popular queries, the sites are caching the search results, so when the malicious party is also searching for the IFRAME in an "loadable state" next to the keyword, it loads. Therefore, relying on the high page ranks of both sites, the probability to have the cached pages with the popular key words easy to find on the major search engines, with the now "creative" combination of the embedded IFRAME, becomes a reality if you even take a modest sample, mostly names," security expert Dancho Danchev said on his blog.
Follow-up reading for the 1st wave of attack similar to the second wave of attacks:http://ddanchev.blogspot.com/2008/03/more-high-profile-sites-iframe-injected.html
http://ddanchev.blogspot.com/2008/03/zdnet-asia-and-torrentreactor-iframe-ed.html
There is no obvious fix for this line of SEO poisoning, aside form removing the SEO modifications.
Interested in a more interactive TTH? Join our Facebook Group Want regular updates from The Tech Herald? Follow us on Twitter
Advertising
Comment on this Story