On mySimon: Crayola Crayon Maker

BNET Business Network:: BNET; TechRepublic; ZDNet

Zero Day

Ryan Naraine and Dancho Danchev

Get Zero Day via:: Mobile; RSS; Email Alerts
Bios:: Ryan’s Bio; Dancho’s Bio

June 1st, 2009

20,000 sites hit with drive-by attack code

Posted by Ryan Naraine @ 6:50 am

Categories: Adobe, Anti Virus, Arbitrary Code Execution, Botnets, Browsers, Complex Attacks, Data theft, Exploit code, Flash, Locally Running Web Servers, Malware, Patch Watch, Spam and Phishing, Spyware and Adware

Tags: Malware, Attack, Exploit Site, Spyware, Adware & Malware, Cyberthreats, Security, Viruses And Worms, Ryan Naraine

Hackers have broken into more than 20,000 legitimate Web sites to plant malicious code to be used in drive-by malware attacks.

According to a warning from Websense Security Labs, the sites have been discovered to be injected with malicious JavaScript, obfuscated code that leads to an active exploit site.

The company discovered that the active exploit site uses a name similar to the legitimate Google Analytics domain (google-analytics.com).

This is unrelated to the Gumblar attack, Websense said.

This mass injection attack does not seem related to Gumblar. The location of the injection, as well as the decoded code itself, seem to indicate a new, unrelated, mass injection campaign.

The exploit site has been seeded with several different attacks targeted unpatched software vulnerabilities. The malware that gets loaded on compromised Windows machines is linked to scareware/rogueware (fake security applications).

Malware purveyors have increasingly turned to legitimate Web sites to launch attacks, using SQL injection techniques to compromise and hijack high-traffic sites.

According to data from MessageLabs, about 85 percent of Web sites blocked for hosting malicious content were ‘well-established’ domains that have been around for a year or more.

Ryan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.

Email Ryan Naraine

For daily updates on Ryan's activities, follow him on Twitter.

Subscribe to Zero Day via Email alerts or RSS.

Talkback
Most Recent of 71 Talkback(s)

Thread View
Flat View

That's just Ryans writing: ROFLMAO!!!! (Read the rest); Posted by: dennis.london@... Posted on: 06/08/09 You are currently: a Guest | Log in | Terms of Use

So what are some of the sites? elliemk@... | 06/01/09

Sites Gloey | 06/01/09

Enlightenment MichP | 06/01/09

So what are some of the sites? radavid | 06/01/09

Yep bill_stanley@... | 06/01/09

I suddenly cannot connect to Amazon.com jhand47201 | 06/01/09

do you use internet explorer or firefox browsers? rroberto18 | 06/02/09

amazon dhays | 06/03/09

Do you use internet explorer or firefox browsers? interested_amateur@... | 06/03/09

No problem here The_Quietman | 06/02/09

Perhaps... Mihi Nomen Est | 06/02/09

That's just Ryans writing dennis.london@... | 06/08/09

They don't know library assistant | 06/01/09

Definitely an HYPED up Post 0zcan | 06/01/09

RE: 20,000 sites hit with drive-by attack code litewerx | 06/01/09

RE: 20,000 sites hit with drive-by attack code lboyer4@... | 06/01/09

Reality check time... DNSB | 06/01/09

Why read when you can scan rfalck@... | 06/01/09

Yeah - scan an out of date list Salty C | 06/02/09

RE: 20,000 sites hit with drive-by attack code theriginalgeekmom | 06/01/09

So, how does it work? oyearian | 06/01/09

They use legitimate tools for their evil purpose. phatkat | 06/01/09

Corrections honeymonster | 06/02/09

What platform? cfischer83@... | 06/01/09

PHP. See below. (nt) honeymonster | 06/01/09

re d.bharath | 06/01/09

RE: 20,000 sites hit with drive-by attack code bkang22@... | 06/01/09

Who, What, When, Where, and How! jgwinner | 06/01/09

Um... check the links in the story library assistant | 06/01/09

Web-no-sense vikingnyc@... | 06/01/09

RE: 20,000 sites hit with drive-by attack code DumbTube | 06/01/09

RE: 20,000 sites hit with drive-by attack code chuck@... | 06/01/09

Warning: Content-free article andy88488 | 06/01/09

Turn it off mswift@... | 06/01/09

How about honeymonster | 06/01/09

Use real time checking when surfing Salty C | 06/02/09

For the love of god, tell us how and what platforms this affects ! rsmith187 | 06/01/09

It's obfuscated JavaScript code. It affects compromised Windows machines InAction Man | 06/01/09

Are you missing the point ? Salty C | 06/02/09

yeah focus on "windoze" jqheller | 06/03/09

Good "head's up" CaptnMorgan | 06/01/09

Agree. Salty C | 06/02/09

RE: 20,000 sites hit with drive-by attack code gertruded | 06/01/09

You're an unhelpul clown GetReal-mac.com | 06/01/09

Remember the story of the scorpion and the frog? MGP2 | 06/01/09

A Freudian Slip? InAction Man | 06/01/09

A frog will croak Ole Man | 06/01/09

Thank you! MGP2 | 06/01/09

Take off your Microsoft blinders. kozmcrae | 06/01/09

You're welcome! Ole Man | 06/01/09

@koz MGP2 | 06/01/09

If you say so... MGP2 | 06/01/09

Thank you 2! jerryz58 | 06/02/09

@ MGP2 Yes, but we're smarter. kozmcrae | 06/02/09

Remember the story gertruded | 06/02/09

What I want to know is, honeymonster | 06/01/09

Actually UNIX servers affected Salty C | 06/02/09

20,000 sites Mahegan | 06/01/09

PHP honeymonster | 06/01/09

Thank you Salty C | 06/02/09

Unfortunately PHP honeymonster | 06/02/09

RE: 20,000 sites hit with drive-by attack code vilppuu@... | 06/01/09

I wonder if... jcitron@... | 06/01/09

I'm learning. kozmcrae | 06/01/09

I am always curious of the Anti-Virus companies 0zcan | 06/01/09

Why are you curious? dennis.london@... | 06/08/09

RE: 20,000 sites hit with drive-by attack code tom000000 | 06/01/09

Commiserations Tom Salty C | 06/02/09

RE: 20,000 sites hit with drive-by attack code d.bharath | 06/01/09

Why are these sites vulnerable? dennis.london@... | 06/03/09

Webserver admins need 2FA alanmcrae@... | 06/03/09

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

ActiveRoles Server ScriptLogic ActiveRoles Server can help you manage, automatically provision ... Download Now
Dell's IT Infrastructure Services, Desktops, and Notebooks Allow Global Consumer Packaged Goods Marketer Unilever to Support Staff Efficiency and Productivity With Business-Critical IT Services Dell Unilever is a multinational corporation that owns 400 consumer brands ... Download Now
Breaking DB2 Platform Barriers Quest Software Are you supporting DB2 on multiple platforms? In this Quest white paper ... Download Now

Essential Topics

Recent Entries

Blogs From Our Sponsors

Top Rated

Facebook password-reset spam is Bredolab botnet attack+46 votes
Thousands of web sites compromised, redirect to scareware+43 votes
Microsoft confirms 'detailed' Windows 7 exploit+43 votes
Firefox hit by multiple drive-by download flaws+41 votes
Which antivirus is best at removing malware?+39 votes
iHacked: jailbroken iPhones compromised, $5 ransom demanded+32 votes
New LoroBot ransomware encrypts files, demands $100 for decryption+28 votes
Mac OS X mega patch covers 58 security vulnerabilities+26 votes

Premier Vendor Content Whitepapers, webcasts & resources from our Power Center Sponsors

Archives

Favorite Links

41

ZDNet Blogs

White Papers, Webcasts, and Downloads

Three Steps You Need to Know to Stop Data Loss Varonis Sensitive data exposed to misuse or loss... it is the stuff of nightmares ... Download Now
The Impact of Virtualization Software on Operating Environments VMware Today's use of virtualization technology allows IT professionals to ... Download Now
Why Isn't Server Virtualization Saving Us More? A Few Small Changes May Dramatically Increase Your Efficiency VMware Companies have rapidly adopted server virtualization over the past few ... Download Now

Popular Sanity Saver Videos

Blogs

Product Reviews

Videos

White Papers and Webcasts

Downloads

More