Share
A massive campaign to seek out vulnerabilities on sites across the Web has targeted and successfully compromised mediaservers.net, security vendor Websense says. The media-servers.net domain serves ads from ad.media-servers.net, but at this time, that domain is unaffected by the massive injection attack.
Media-servers.net hit in massive code injection spree.(IMG: J.Anderson)
According to Websense, this injection attack has been going on for months. The attack starts by scanning sites for vulnerable code or other holes, and once found, malicious Iframes are injected which will serve various payloads.
To date, the payloads used to attack visitors as they access infected sites include three Microsoft vulnerabilities, which are the DirectShow, Snapshot Viewer vulnerabilities, and Data Access Components (MDAC). In addition to the ones from Microsoft, there are AOL ConvertFile() buffer overflow exploits and two exploits aimed at Adobe Reader and Adobe Acrobat.
[For those keeping track, the CVE’s are 2008-0015, 2008-2463, 2006-0003, 2007-5659, and 2008-2992.]
In a statement, Carl Leonard, Websense Security Labs Manager said, “This attack relies on the vulnerabilities of websites with very little security. The bad guys seek out these vulnerabilities and exploit them to inject malicious scripts in to the websites code, in order to compromise unsuspecting users, without them knowing during the drive-by attack.”
“The scary part is that only two of the forty anti-virus companies are currently detecting the malicious file once downloaded onto the user’s computer. Our advice for users is to use real-time protection. Real-time protection will protect the user from these adapting threats in the first instance, avoiding infection and stopping the spread of the threat in its tracks.”
[Note: This information is based on Virus Total reports. The action coverage will vary depending on who you use for AV detection and protection. –Steve]
These types of attacks have happened before. In March of 2008, over 29,000 sites were hit in a similar injection attack that targeted Trend Micro and an entire host of other legit sites. At the time, the aim of the attacks was to steal website credentials and gaming passwords.
Fast-forward to June of this year, where the Nine-Ball attack compromised over 40,000 sites and redirected users to Malware hosting domains. At the time of the Nine-Ball attack, Websense said that the criminals behind it were targeting end users via “a multi-level redirection attack, ending in a series of drive-by exploits that if successful install a Trojan downloader on the user's machine.”
Lastly, in August, 84,000 domains were targeted in a massive SQL Injection attack that served up a nasty cocktail of code, including backdoor related Malware, keylogging Malware, various Trojans and more.
The best defense is to ensure that you are using anti-Virus protection, which is current, and that you always apply operating system and software updates and patches as they are released.
Website operators should also check their code and make sure that it too is updated and free of common errors.
Interested in a more interactive TTH? Join our Facebook Group Want regular updates from The Tech Herald? Follow us on Twitter
Advertising
Comment on this Story