Feeds

Nine-ball attack splits security researchers

Ruck over whether figures stack up

Internet Security Threat Report 2014

Security researchers are split over the seriousness of a web attack dubbed "Nine-ball" which broke onto the internet last week.

Websense last week reported a web attack dubbed "Nine-ball", a moniker derived from the name of ninetorag.in, one of the malware hosts associated with the assault, had claimed 40,000 website victims.

Web security services firm ScanSafe, by contrast, describes the attack as "almost non-existent".

Mary Landesman, senior security researcher at ScanSafe, reckons that from 15 June the total number of requests to sites involved in the attacks came to just 333. The total number of compromised websites observed over the last week was just 62 of which only one domain - skyscrapercity.com - features above the top 10,000 traffic spot in Alexa's traffic ratings.

"We were a bit surprised that such an allegedly massive attack could bypass our sentries," Landesman said. "After we did take a look, it became apparent why this one didn't trip our alert sensors - this attack is almost non-existent and might be more aptly named 'scratch ball'.

"It is such a low number attack that it’s not the type of thing we’d normally spend our time investigating."

ScanSafe claims its real-time web scanning gives it a grandstand view of malfeasance on the web while Websense is equally adamant that it has the clearest possible view of malware on the net, and a mite indignant over ScanSafe's suggestion that it's exaggerating the impact of the Nine-ball attack.

Websense updated its original analysis on Monday, after we passed on ScanSafe's observations, reiterating that Nine-ball (although slightly decreased in intensity) remains a potent force. This more detailed analysis includes videos and diagrams illustrating the attack, which has evolved since it was first detected on 2 June.

Carl Leonard, security research manager for Websense EMEA, suggested that if ScanSafe reckoned that the attack was insignificant then it must be missing the bigger picture.

"The Nine-Ball attack was more complicated than most which made it difficult for less experienced researchers to understand its complexities," Leonard told El Reg.

"A confusing factor is that there is not one clear infection path. With no fixed start point, no set route and no fixed end point, linking a series together and appreciating that it’s all part of the same campaign is not an easy thing to do, especially when the attack has more than one malicious host involved.

"Most security companies lack the technology to analyze such attacks. Because Websense has such an extensive Threatseeker network we can see the bigger picture when some other companies may only see a part." ®

Internet Security Threat Report 2014

More from The Register

next story
Knock Knock tool makes a joke of Mac AV
Yes, we know Macs 'don't get viruses', but when they do this code'll spot 'em
Feds seek potential 'second Snowden' gov doc leaker – report
Hang on, Ed wasn't here when we compiled THIS document
Why weasel words might not work for Whisper
CEO suspends editor but privacy questions remain
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
BlackEnergy crimeware coursing through US control systems
US CERT says three flavours of control kit are under attack
prev story

Whitepapers

Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
Protecting against web application threats using SSL
SSL encryption can protect server‐to‐server communications, client devices, cloud resources, and other endpoints in order to help prevent the risk of data loss and losing customer trust.