On CBS MoneyWatch: 5 Things You Should Buy at Walmart
BNET Business Network:
BNET
TechRepublic
ZDNet

August 24th, 2009

55,000 Web sites hacked to serve up malware cocktail

Posted by Ryan Naraine @ 12:08 pm

Categories: Adobe, Anti Virus, Arbitrary Code Execution, Botnets, Browsers, Complex Attacks, Data theft, Exploit code, Flash, Hackers, Locally Running Web Servers, Malware, Passwords, Viruses and Worms, Vulnerability research

Tags: Web, Malware, Web Site, Spyware, Adware & Malware, Cyberthreats, Viruses And Worms, Security, Ryan Naraine

Security researchers are raising an alarm for a potent malware cocktail — backdoor Trojans and password stealers — being pushed to Windows users from about 55,000 hacked Web sites.

According to Mary Landesman, a researcher in ScanSafe’s security threat alert team, the cybercriminals have embedded a malicious iFrame into tens of thousands of Websites to fire exploits at unsuspecting PC users who surf to one of the rigged sites.

The iFrame points to an intermediary exploit site which in turn loads additional exploits and malware from up to seven different malware domains, Landesman said.

She ran a Google search of the iFrame script tag and found it embedded on about 54,900 sites, many  of them legitimate online destinations.

Victim sites include www.feedzilla.com, latindiscover.com, and a number of charitable and nursing facilities, including howellcarecenter.com, sweetgrassvillagealf.com, www.foodsresourcebank.org, and morningsideassistedliving.com.

At the time of writing this blog post, the number of hacked sites listed in Google results climbed to 56,000.

It is not yet clear which vulnerabilities are being exploited in this attack but, judging from recent history, end users should ensure that operating system and desktop software programs are fully patched.

The most common programs under attack include Adobe Flash, Adobe PDF Reader, Apple’s QuickTime, WinZip and RealPlayer.  In addition to Microsoft Windows patches, these desktop applications should be updated to the newest version immediately.

Ryan NaraineRyan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.


Email Ryan Naraine

For daily updates on Ryan's activities, follow him on Twitter.

Subscribe to Zero Day via Email alerts or RSS.

  • Talkback
  • Most Recent of 243 Talkback(s)
:P
NICE One!
that is what we need REAL Experience, not a Fanboy with a toy (Read the rest)
Posted by: ozl@... Posted on: 11/13/09 You are currently: a Guest | | Terms of Use
The key words...  HollywoodDog | 08/24/09
Don't you have a video to go edit or something, tewl?  James T. Kirk | 08/24/09
Sshhhhh...  brianscook | 08/27/09
RE: The Key Words  texasbrat2@... | 08/25/09
non PC Users  chinese.bookie | 08/25/09
non PC Users  OCJim | 08/25/09
money to be made?  motorman33@... | 08/25/09
Yeah, crackers and virus writers have absolutely no interest in...  over2sd | 08/25/09
Really!?! WHY?!? Can't we all just get along  m3lk0r | 08/25/09
Well Said  BoneLazy | 08/26/09
I concur!  richard.east@... | 08/27/09
Finally someone with sense  gan | 08/26/09
Very Well Put!  Wolferzz | 08/26/09
Very well done, but...  agohige | 08/27/09
thank you  brianscook | 08/27/09
Excellent comment!  dennis.london@... | 09/10/09
Really!?! WHY?!? Can't we all just get along  ozl@... | 11/13/09
Really?  AndyPagin | 08/26/09
Ummm....  Techno_Babble | 08/28/09
Jealous?  DBPerez | 08/27/09
I don't think your right.  agohige | 08/27/09
Oooh! Pretty good!...  JCitizen | 09/06/09
:P  ozl@... | 11/13/09
Jealous? I think not.  fletchoid | 08/29/09
You missed the obvious  deowll | 08/29/09
PCs???  escapepod | 08/25/09
He means IBM-compatible PCs (n/t)  over2sd | 08/25/09
Ok Sheldon,  spammy_z | 08/30/09
Key Words?  Wolferzz | 08/26/09
Really?  whcressall@... | 08/26/09
Another WIndows exploit?  whisperycat | 08/24/09
I've seen a lot say....  Erroneous | 08/24/09
So they deliberately don't run anti-virus, but know they need it really?  Zogg | 08/24/09
I heard it said.  deowll | 08/29/09
This is 100% social engineering  NonZealot | 08/24/09
The user has to agree to run the malware on their computer.  znetlol | 08/24/09
Okay, but it isn't a problem with Windows  NonZealot | 08/24/09
Link please  Richard Flude | 08/24/09
no sales = a huge plus...  _JimB_ | 08/25/09
Serious Question  BoneLazy | 08/26/09
Who knows?  deowll | 08/29/09
User in Ubuntu with no root pswd = immune  Don Collins | 08/24/09
I'm interested to hear your explanation  NonZealot | 08/24/09
Stems from XP and before  MariusSilverwolf | 08/24/09
Not so fast  rdawson@... | 08/25/09
key words: "work machine"  over2sd | 08/25/09
One little hole in your theory...  JT82 | 08/25/09
One would hope  Michael Kelly | 08/25/09
Actually, you just restated his point: password required, not just...  over2sd | 08/25/09
Phew!  AndyPagin | 08/26/09
Phew  AndyPagin | 08/26/09
This is the case with windows as well  davidhite | 08/25/09
I tested that  Wolferzz | 08/26/09
I think you missed plenty.  deowll | 08/29/09
Agreed 200%  GuardianBob | 08/25/09
The other alternative is stateless thin clients.  914four | 08/26/09
why always the PC vs argument  cymru999 | 08/25/09
So do OSX and Linux users  Lerianis10 | 08/25/09
Not all trojans require user authentication on Windows  frgough | 08/24/09
Got to go back to a 9 year old version for it to be true  NonZealot | 08/24/09
A four letter word  BoneLazy | 08/26/09
The thing is......  todbran@... | 08/24/09
This would change when they bought their Mac?  NonZealot | 08/24/09
I personally...  todbran@... | 08/24/09
re: Safe  Badgered | 08/25/09
Excellent...  Sleeper Service | 08/25/09
LOL at you  davidhite | 08/25/09
And I personally don't know any Mac users  sjbinaz | 08/25/09
An awful lot of Mac users...  deowll | 08/29/09
iBots  pcguy777 | 08/24/09
iBots  JOHN_TUOHY | 08/26/09
zealot should worry about those malware cocktails instead  Wintel BSOD | 08/25/09
They are?  Loverock Davidson | 08/25/09
Linux is not easy.....  fourijm@... | 08/25/09
RE:Linux is not easy.....  richdave | 08/25/09
Big load of BS  davidhite | 08/25/09
@davidhite  tmsbrdrs | 08/25/09
Just different  AndyPagin | 08/26/09
Gnome, KDE, XFCE.....  Aboleyn | 08/25/09
Lol  AndyPagin | 08/26/09
I bet  davidhite | 08/25/09
90%  zdnet-gregc | 08/25/09
Actually ...  williamacole@... | 08/25/09
... all are Windows-IIS  williamacole@... | 08/25/09
You can wish and bet all you want...  over2sd | 08/25/09
I accept your bet  AndyPagin | 08/26/09
hmmm- not true  ildratherbe | 08/25/09
Mac users?  rsmith@... | 08/25/09
Really? Really?  mswift@... | 08/25/09
"own a Mac because Hollywood told them..."  Bacon 3000 | 08/25/09
Hollywood types  zdnet-gregc | 08/25/09
Mac Users aren't all that experienced.  gypkap@... | 08/25/09
No it's not social engineering  voska1 | 08/25/09
Coud do it for Mac and Linux too  voska1 | 08/25/09
But there is probably more exoits on windows then  mathcreative | 08/25/09
I didn't see anything specific about Windows. But I did see the following:  ye | 08/24/09
A lot of rsults are repeats. (nt)  bjbrock | 08/24/09
RE: 55,000 Web sites hacked to serve up malware cocktail  Capt_Sparky | 08/24/09
you can do that only because there are so many Windows users  pupkin_z | 08/24/09
Just playing Devil's Advocate  mathcreative | 08/25/09
It's a good thing Safari runs with restricted rights!  NonZealot | 08/24/09
Well, since OS X is actually a true multi-user operating  frgough | 08/24/09
Sorry but you are wrong  NonZealot | 08/24/09
Privelege levels  jdudeck@... | 08/25/09
Please elaborate.  ye | 08/24/09
Correction: Vista and 7 are *NOT* immune to these attacks  honeymonster | 08/24/09
Ah, thanks for that info  NonZealot | 08/24/09
Wow  Richard Flude | 08/24/09
The famed iBotnet is HUGE  NonZealot | 08/24/09
Are you seriously claiming...  Richard Flude | 08/24/09
It's no use...  MyMac | 08/24/09
Oops, my sincere apologies  NonZealot | 08/24/09
Care to cite that?  Wintel BSOD | 08/25/09
It sure did. It proved the Mac is less secure than Windows.  ye | 08/25/09
Following you off topic...  richdave | 08/25/09
Not to turn this into an environmental discussion but ...  ram96 | 08/25/09
RE:Not to turn this into an environmental discussion but ...  richdave | 08/25/09
...  ram96 | 08/25/09
Some guys name dot com??  dszimmer | 08/27/09
Sure it does.  davidhite | 08/25/09
don't do that  mswift@... | 08/25/09
Since most....  todbran@... | 08/24/09
RE: 55,000 Web sites hacked to serve up malware cocktail  Loverock Davidson | 08/24/09
RE: 55,000 Web sites hacked to serve up malware cocktail  Loverock Davidson | 08/24/09
Common thing  Saurondor. | 08/24/09
I am still betting 90% are linux servers  davidhite | 08/25/09
Because LAMP servers masquerade as IIS/ASP all the time? (n/t)  over2sd | 08/25/09
True, but...  AndyPagin | 08/26/09
LAMP not miraculously secure  Saurondor. | 08/26/09
"Most people just go to the same 5 or 6 sites which are usually secure"  ismoore | 08/25/09
i have few sites that been hacked and iframed multiples times already  vachi | 08/24/09
I can't seem to get infected.  ye | 08/24/09
Bet you can't avoid this trojan  NonZealot | 08/24/09
I have no idea what you're getting at  AndyCee | 08/24/09
All about the user intervention  NonZealot | 08/24/09
Link please  Richard Flude | 08/24/09
Stupidist thing  Wolferzz | 08/26/09
You only think you can't get infected  dianecmiles@... | 08/25/09
For which it did nothing...  SpikeyMike | 08/26/09
Only if you have a time machine  rtk | 08/26/09
Hmm.. Where did those MS fanboys go?  dszimmer | 08/27/09
The Firewall looks for the tag then blocks the site?  BALTHOR | 08/24/09
It is a SQL injection attacks on the websites  honeymonster | 08/24/09
I would like to see proof of that.  spinit | 08/24/09
Proof.  davidhite | 08/25/09
Proof  balaknair | 08/26/09
Yes, I remember that one  NonZealot | 08/24/09
Coulda, woulda, dida?  Wintel BSOD | 08/25/09
Back to web school for you...  Marty R. Milette | 08/25/09
Indeed. And this *IS* an automated SQL injection attack  honeymonster | 08/26/09
You still didn't answer my question  Wintel BSOD | 08/26/09
Answer  Chafalote | 08/26/09
Chevy Neons ?  IAFarm2 | 08/26/09
Another non-answer  Wintel BSOD | 08/26/09
not_nice  dca@... | 08/26/09
Still another non-answer...  Wintel BSOD | 08/27/09
You really don't have a clue -- do you?  Marty R. Milette | 08/27/09
My point exactly  Wintel BSOD | 08/27/09
@Marty R. Milette - The Problem  Isocrates | 08/27/09
You don't get it either...  Marty R. Milette | 08/27/09
All hacked sites were running Windows Server / IIS  spinit | 08/24/09
So what was the vulnerability that the crackers used?  NonZealot | 08/24/09
Clearly the blame must lie...  zkiwi | 08/24/09
What on earth are you talking about?  NonZealot | 08/24/09
Well...  zkiwi | 08/24/09
But the actual vulnerabilities are *application* SQL injections  honeymonster | 08/24/09
For once I would agree with you  Wintel BSOD | 08/25/09
you checked all 55,000?  davidhite | 08/25/09
NAT-enabled modem  privacy matters | 08/24/09
It would do nothing to protect from this though  NonZealot | 08/24/09
i think you need a primer...  thx-1138_@... | 08/28/09
Mac users rejoice!  Been_Done_Before | 08/24/09
Guess you didn't read the Pwn2Own article  meechp123 | 08/25/09
Hello! Earth to Been_Done_Before.  thomasnruth@... | 08/25/09
Lol, stats don't match  Tom6 | 08/25/09
RE: 55,000 Web sites hacked to serve up malware cocktail  mmdmurphy@... | 08/25/09
RE: 55,000 Web sites hacked to serve up malware cocktail  sunilsk | 08/25/09
RE: 55,000 Web sites hacked to serve up malware cocktail  securityboy | 08/25/09
What sites? Where's the list? How does a site check itself?  XXP | 08/25/09
RE: 55,000 Web sites hacked to serve up malware cocktail  unellen | 08/25/09
Its A GREAT Tuesday  itanalyst2@... | 08/25/09
Exactly how is this great?  PhotoIT | 08/25/09
How perserve to think of this as great.  vbnomad@... | 08/25/09
Nope, Just Love Seeing Microsoft Shown As Fools  itanalyst2@... | 08/25/09
I'd be more interested to know...  Marty R. Milette | 08/25/09
RE: 55,000 Web sites hacked to serve up malware cocktail  warrenmaurer@... | 08/25/09
RE: 55,000 Web sites hacked to serve up malware cocktail  tom@... | 08/25/09
RE: 55,000 Web sites hacked to serve up malware cocktail  bobdavis321 | 08/25/09
What to do about it - real solutions  bobdavis321 | 08/25/09
Flavour of webserver is irrelevant  ahaveland | 08/25/09
Proof that IIS is not a good server?  davidhite | 08/25/09
Maybe the problem  davidhite | 08/25/09
RE: 55,000 Web sites hacked to serve up malware cocktail  ps.zdnet@... | 08/25/09
Thanks for some real info  vbnomad@... | 08/25/09
RE: 55,000 Web sites hacked to serve up malware cocktail  PoetSailor | 08/25/09
.gov affected??  TejasKat | 08/25/09
RE: 55,000 Web sites hacked to serve up malware cocktail  Jaytmoon | 08/25/09
Unfortunately  chaz15 | 08/25/09
change your password too  ahaveland | 08/25/09
Slow blog day  w13246 | 08/25/09
Are the cracked Websites running Windows or Linux?  Tom6 | 08/25/09
The OSes are secure - users aren't.  ahaveland | 08/25/09
% matters  Tom6 | 08/25/09
Equal percentages only if they are equally vulnerable.  over2sd | 08/25/09
No!!!!!!!!  chaz15 | 08/26/09
I concede  ahaveland | 08/26/09
User account control  Aboleyn | 08/25/09
RE: 55,000 Web sites hacked to serve up malware cocktail  completecirclemarketing | 08/25/09
Backups, backups and more backups  dianecmiles@... | 08/25/09
RE: 55,000 Web sites hacked to serve up malware cocktail  BillyB40 | 08/25/09
How many actual servers does that make?  satovey@... | 08/25/09
What are the threats, please?  thomasnruth@... | 08/25/09
I see problems where are the solutions?  madrucke@... | 08/25/09
it isn't difficult!  ahaveland | 08/25/09
RE: 55,000 Web sites hacked to serve up malware cocktail  frcoulter | 08/25/09
Solution: dropmyrights  cwallen19803@... | 08/25/09
RE: 55,000 Web sites hacked to serve up malware cocktail  bobdavis321 | 08/25/09
Use Firefox and Noscript and forbid IFrames.  psm5755@... | 08/25/09
Firefox, Noscript, IFrames - question  TejasKat | 08/25/09
firefox and iframes  zdnet-gregc | 08/25/09
RE: 55,000 Web sites hacked to serve up malware cocktail  bobdavis321 | 08/25/09
Big load of BS  davidhite | 08/25/09
100% of infected websites hosted on Windows?  Tom6 | 08/25/09
Did not say safe  davidhite | 08/25/09
This is social engineering, "done right".  freezerlunik | 08/25/09
..what makes it more successful is  freezerlunik | 08/25/09
@tmsbrdrs  davidhite | 08/25/09
RE: 55,000 Web sites hacked to serve up malware cocktail  thefoxbox | 08/25/09
RE: 55,000 Web sites hacked to serve up malware cocktail  TheBrass | 08/25/09
Easy answer to this  Lerianis10 | 08/25/09
RE: 55,000 Web sites hacked to serve up malware cocktail  chuck@... | 08/25/09
RE: 55,000 Web sites hacked to serve up malware cocktail  kn_bui@... | 08/26/09
RE:They Sanctimonious auto-contradictory Crapple vs. Winders NON issue  Grey Ash | 08/26/09
Shut up Grey ash you nuisance  Grey Ash | 08/26/09
HA! HA! HA! You funny!...  JCitizen | 09/20/09
RE: 55,000 Web sites hacked to serve up malware cocktail  rptasiuk | 08/26/09
Do I need to say it?  bendib | 08/26/09
Please don't...  dgriswold4@... | 08/26/09
What QuickTime vulnerability  russoj2000 | 08/27/09
Just google it!  agohige | 08/27/09
Here's how this happened to me.  M.W.H. | 08/28/09
RE: 55,000 Web sites hacked to serve up malware cocktail  deowll | 08/29/09
RE: 55,000 Web sites hacked to serve up malware cocktail  deowll | 08/29/09

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

advertisement

Recent Entries

advertisement
Click Here

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads