ISSSource White Papers

Chemical Safety Incidents

Newsletters

Our strict privacy policy keeps your email address 100% safe & secure.

Weak Sites Victimize Visitors

Tuesday, October 18, 2011 @ 02:10 PM gHale

It first started off slow, but an infection that causes poorly configured websites to silently bombard visitors with malware attacks now over one million web pages.

The mass infection, which redirects users to a site exploiting old versions of Oracle’s Java, Adobe’s Flash player and various browsers, came to light last week, said researchers from Armorize.

RELATED STORIES
Beware of Printers Spreading Malware
ZeuS Gains More Power
Chrome Update Repairs Microsoft Alert
Old Browser Plug-ins Big Attack Target

When they first found it earlier in the week, the malware appeared to affect about 180,000 pages. By the time Friday rolled around, the exploit spread to 613,890 combined pages, the researchers said. By the middle of this week, the exploit was at over one million pages. The SQL injection attack mostly exploits websites running Microsoft’s ASP.Net web application framework.

The infection injects code into websites and plants an invisible link in visitors’ browsers to sites including jjghui.com and nbnjkl.com. Those sites in turn redirect to several other websites that include highly obfuscated code. At the end of the line is a cocktail of attacks that exploit known vulnerabilities in Java and the other targeted programs. Computers running unpatched versions quickly become a victim. Servers in the attack used IP addresses based in the U.S. and Russia.

When Armorize researchers submitted the code used in the attack on Wednesday, just six of the top 43 antivirus providers detected the attack, according to this VirusTotal analysis. It’s unknown if that number has improved since then.

The attack is the latest to force hundreds of thousands of vulnerable web pages to turn against their visitors. An attack in August against machines running the open-source osCommerce web application poisoned 8.3 million web pages.

Websites in this week’s attack came under the registered name of James Northone of Plainview, NY, the same registered owner of domains used in the Lizamoon mass-injection attacks in March, named after one of the addresses used.




Leave a Reply

You must be logged in to post a comment.

«
 »

ABB CFE Guide
mailto:ghale@isssource.com
Policies
Copyright © 2012 isssource.com