The Register® — Biting the hand that feeds IT

Feeds

Cyber crooks hijack 10,000 websites

Bon Jovi, Mother Teresa pages attack end users

By Dan Goodin, 18th June 2007
  • print
  • alert

Regcast training : Hyper-V 3.0, VM high availability and disaster recovery

More than 10,000 websites have been infected by a sophisticated and fast-acting Trojan downloader that attempts to install malware on visiting PCs. At least one security firm, Trend Micro, is working with the FBI to contain the damage and track down the perpetrators.

The attack is noteworthy for the number of sites it has managed to infect in a relatively short period of time. Between Friday and Sunday night, the number jumped from 1,100 to about 2,500. By Monday afternoon, California time, there were more than 10,000 infected sites, according to Paul Ferguson, a network architect for Trend Micro.

Once a server is infected, attackers embed an invisible iframe into the web page that silently redirects visitors to a pair of other sites that attempt to use previously patched Windows vulnerabilities to install malicious keylogging software. The redirected sites use an attack kit known as MPack, which according to this writeup from Symantec is "a professionally written collection of PHP software components designed to be hosted and run from a PHP server with a database backend."

Researchers are still trying to figure out how the attackers have managed to infect the servers.

"It's all over the map," Ferguson says. "The sheer numbers right now are keeping us pretty busy."

While most of the sites are hosted in Italy, researchers have found few common denominators that might suggest how the attackers are able to compromise the machines. It's unclear if attackers are exploiting vulnerabilities on the servers themselves or hacking into service provider infrastructure. Ferguson speculates the attackers are using an automated tool similar to metasploit to search for sites that are vulnerable.

The hacked websites cover the gamut, from a site connected to the rock musician Bon Jovi to one that tries to raise money for charity work of the late Mother Teresa. Most of the compromised sites are mom-and-pop run affairs and are concerned with travel or entertainment.

An iframe buried underneath the hacked sites redirects users to a server that's hosted at a San Francisco-area co-location site that's been used previously by cyber criminals, Ferguson says. That site redirects to yet another server hosted in Chicago. The San Francisco server is registered to a front-company based in Hong Kong. Ferguson said researchers and authorities are trying to contain the attacks by getting the San Francisco and Chicago sites shut down.

MPack is a powerful kit that bundles together many different malware tools. Among other things, it logs detailed information about the machines it attacks, including the IP addresses of machines it has infected and what exploits a particular user is vulnerable to. It is similar to another malkit called WebAttacker.

The attack resembles one from February which targeted certain Miami Dolphins Web sites on the same day the National Football League team hosted the Super Bowl. The legions of fans who visited the site were redirected to third party sites that attempted to install malware on their machines.

Such attacks are increasing, largely thanks to the growing use of powerful javascript that vastly improves the functionality of websites. Unfortunately, programmers haven't paid close enough attention to how these scripts can be abused.

Says Ferguson: "All this Web 2.0 stuff is going to turn in to Web uh oh!" ®

Agentless Backup is Not a Myth

COMMENTS

House Rules Send Corrections
All Reader Comments (10)
Latest Comments
Jeff Power

Re: To all Javascript/PHP haters

Umm, the issue here isn't that people are being complete idiots and clicking yes or going to suspect web sites.

The issue is that, first of all, legitimate web sites have had nasty code injected into them, and that said nasty code exploits security loopholes in various browsers' implementations of your precious javascript.

I turn off javascript because:

A: The nasty people are very good at figuring out these security loopholes, and often put them to use before a working patch is available.

B: Sites I wouldn't have a reason to distrust on the surface, may have dodgy security and be susceptible to the attacks we are seeing reported in this article.

C: Javascript is often used not just for good, helpful things like forms validation and such, but for things like annoying scrolling text and other crimes against my eyes.

When I really need to use javascript for a site, I temporarily enable it with NoScript. If I go there everyday and don't worry about "B" happening, it gets permanently enabled, like iGoogle.

Now, full-fledged Java is another thing. I hate it because of the amount of resources I have always seen it use up just using it.

0
0
Steve Roper

To all Javascript/PHP haters

If you want your website to be anything more than a document repository, some form of user-responsive scripting is essential. Some of the important uses of Javascript are:

* Instant/real-time form validation

* Foldout and rollover help guides on Web pages

* Warning alerts when a user makes an error

* CSS-to-browser matching

* Browser compatibility checking

* Frame killers to prevent other sites from framing or obfuscating yours

* Email address hiding to protect your email from spam spiders

* Pre-emptive page and image loading to speed up browsing and balance server load

* Dynamic in-page information updates

Yes, lots of sites require Javascript because without it they CAN'T function! Try using iGoogle with Javascript turned off - it can't do any of the things it does. Try creating a web page without it, and see how it messes up in Internet Suxplorer while displaying correctly in Firefox, or vice versa. Try creating a Web form without it, and see how many angry emails you get from users wasting time waiting for a server to tell them they forgot to enter something, so they have to enter all that data over again.

Browsers these days have all sorts of security options built in to control renegade Javascript. I've been to dozens of malware sites and watched while they tried to install something on my PC, only to be thwarted by my clicking No in all the "This site is trying to install XXX-Toolbar, do you want to allow this" dialogues that pop up.

You can set your security options to prevent Javascript from doing unsavoury things like silent installing, opening popups, blocking the context menus, or changing the status bar text or browser chrome.

All our sites use Javascript, if only to hide our email addresses and ensure cross-browser compatibilty. Damned if I'm going to expose my email address to spam spiders, or leave my site looking a mess in Internet Suxplorer, just because some twat's too paranoid to turn on Javascript or too lazy to check their security settings. Come to our sites with Javascript turned off and all you get is a page telling you to turn it on if you want to proceed. (Ah, I love the <noscript> tag!) Yes, we get a few complaints. But the vast majority of our customers love our sites, so for those few that don't like it, tough - go elsewhere, if you can find an "elsewhere" that doesn't use Javascript and provides the same service.

Blanket-blocking Javascript simply reduces your web experience to passive page viewing. Spend some time in your browser options learning about and configuring your security settings. When you go out on a Friday night, you spend time checking that you have your keys, wallet, comb, mobile phone etc. before going out. Do the same before going out on the internet.

----------

@Daniel Ballado-Torres: Java and its various incarnations are CLIENT-SIDE applications - why do you think you have to install the JVM on your machine before you can view any Java applets?

0
0
Daniel Ballado-Torres

Yet another reason to hate Javascript

.. and all of these exploits are thanks to crap like "ActiveX", "Visual Basic (Script)", and "Javascript" being given carte blanche to do just about anything.

When I thought Javascript was dying thanks to server-side webapps (PHP, Java/JSP, J2EE, .net, ASP) somebody had to "invent" AJAX, bringing in the Web 2.0 buzz.

Now lots of sites *require* Javascript to function, and Javascript itself seems to be turning into the new ActiveX.

BTW, PHP isn't a malware vector unlike ActiveX/Javascript, because PHP's run on the server side. That said, PHP apps itself might be exploitable...

0
0

More from The Register

breaking news
NSA PRISM snoop-gate: Won't someone think of the children, wails Apple
10,000 things probed, mostly about missing kids, Alzheimer patients, we're told
96
breaking news
NSA PRISM-gate: Relax, GCHQ spooks 'keep us safe', says Cameron
Whatever they are up to, it's all above board, we're told
90
PRISM snitch claims NSA hacked Chinese targets since 2009
Snowden suddenly looks safer in Hong Kong after revelations
33
breaking news
US chief spook: Look, we only want to spy on 6.66 BEELLLION of you
Americans assured they are not in the NSA's sights
68
Speech-to-text drives motorists to distraction
Will talking to you mean I crash into that car up ahead, Siri?
30
DHS warns of vulns in hospital medical equipment
Has your doctor's anasthesia machine been hacked?
17
breaking news
'BadNews is malware' says outfit that found it
Google says code harmless but Lookout says code base is evolving
15
Panda-peddlers cuffed for chess gambling gambit
More porridge on the menu for Chinese coders after second offence
13
breaking news
Yes, maybe we should keep hackers in the clink for YEARS, mulls EU
Watch out black hats, they just might throw away the key
39
Microsoft borks botnet takedown in Citadel snafu
Stupid Redmond kicked over our honeypots, wail white hats
19