Feeds

Nine-ball attack splits security researchers

Ruck over whether figures stack up

Beginner's guide to SSL certificates

Security researchers are split over the seriousness of a web attack dubbed "Nine-ball" which broke onto the internet last week.

Websense last week reported a web attack dubbed "Nine-ball", a moniker derived from the name of ninetorag.in, one of the malware hosts associated with the assault, had claimed 40,000 website victims.

Web security services firm ScanSafe, by contrast, describes the attack as "almost non-existent".

Mary Landesman, senior security researcher at ScanSafe, reckons that from 15 June the total number of requests to sites involved in the attacks came to just 333. The total number of compromised websites observed over the last week was just 62 of which only one domain - skyscrapercity.com - features above the top 10,000 traffic spot in Alexa's traffic ratings.

"We were a bit surprised that such an allegedly massive attack could bypass our sentries," Landesman said. "After we did take a look, it became apparent why this one didn't trip our alert sensors - this attack is almost non-existent and might be more aptly named 'scratch ball'.

"It is such a low number attack that it’s not the type of thing we’d normally spend our time investigating."

ScanSafe claims its real-time web scanning gives it a grandstand view of malfeasance on the web while Websense is equally adamant that it has the clearest possible view of malware on the net, and a mite indignant over ScanSafe's suggestion that it's exaggerating the impact of the Nine-ball attack.

Websense updated its original analysis on Monday, after we passed on ScanSafe's observations, reiterating that Nine-ball (although slightly decreased in intensity) remains a potent force. This more detailed analysis includes videos and diagrams illustrating the attack, which has evolved since it was first detected on 2 June.

Carl Leonard, security research manager for Websense EMEA, suggested that if ScanSafe reckoned that the attack was insignificant then it must be missing the bigger picture.

"The Nine-Ball attack was more complicated than most which made it difficult for less experienced researchers to understand its complexities," Leonard told El Reg.

"A confusing factor is that there is not one clear infection path. With no fixed start point, no set route and no fixed end point, linking a series together and appreciating that it’s all part of the same campaign is not an easy thing to do, especially when the attack has more than one malicious host involved.

"Most security companies lack the technology to analyze such attacks. Because Websense has such an extensive Threatseeker network we can see the bigger picture when some other companies may only see a part." ®

Top 5 reasons to deploy VMware with Tegile

More from The Register

next story
UK smart meters arrive in 2020. Hackers have ALREADY found a flaw
Energy summit bods warned of free energy bonanza
DRUPAL-OPCALYPSE! Devs say best assume your CMS is owned
SQLi hole was hit hard, fast, and before most admins knew it needed patching
Feds seek potential 'second Snowden' gov doc leaker – report
Hang on, Ed wasn't here when we compiled THIS document
Mozilla releases geolocating WiFi sniffer for Android
As if the civilians who never change access point passwords will ever opt out of this one
Why weasel words might not work for Whisper
CEO suspends editor but privacy questions remain
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
Protecting users from Firesheep and other Sidejacking attacks with SSL
Discussing the vulnerabilities inherent in Wi-Fi networks, and how using TLS/SSL for your entire site will assure security.