Sites Face New ZeuS Attack

Tuesday, July 19, 2011 @ 12:07 PM gHale

A widespread web injection attack infected a large number of websites with code distributing a variant of the ZeuS Trojan.

“Huge numbers of sites have been injected with a malicious JavaScript that attempts to load content from an exploit site when innocent users browse the affected pages,” said Fraser Howard, a principal virus researcher at security researcher Sophos.

Hackers Banned; Shift to Plan B
Hack Confirmed; Oil Companies Eyed
Attacks Anytime; Govt. Contractors Hit
Web Sites to Find if You’re a Target

The web injection is widespread with the malicious code, detected as Mal/ObfJS-AB, representing a quarter of all reported threats.

The attack does not focus on any particular type of website or web server, suggesting the compromise vector might be stolen FTP accounts.

The injected code redirects visitors to a third-party page which launches PDF and Java exploits. Successful attacks install a ZeuS variant.

“Perhaps the most interesting thing about this attack is the exploit site JavaScript (the content we block as Mal/ExpJS-N). We have been seeing the same exploit script at the end of spam links and JS/Sinowal-V redirects in recent weeks.

“The script is heavily obfuscated and uses polymorphic and anti-emulation techniques to attempt to evade detection,” Howard said.

Affected websites span over different hosting providers, so it does not look as though any hosting company is a particular target, as seen in some mass injection attacks.

Past experiences have shown that website infections like these can persist for months because webmasters have a very slow reaction time. The task of protecting themselves falls with users.

The advice to users is to keep all of their software up to date, especially the operating system, browsers and their plug-ins (Java, Adobe Reader, Flash Player, etc.). Running an up-to-date antivirus program capable of scanning web traffic is also key.

Leave a Reply

You must be logged in to post a comment.