Mass web infection

General Topics
1
Security maven Mary Landesman is in the midst of piecing together a who-done-it involving the infection of hundreds of websites that are generating an enormous amount of traffic. Or maybe it's a how-done-it. Either way, she's mostly drawing blanks.

Landesman is a researcher for ScanSafe, a company that monitors the web surfing of employees at large companies and provides them with real-time intelligence about what sites are spreading malware. When a client visits a site that has already attacked someone else, the service automatically blocks the site from loading in the end user’s browser. Viewing some seven billion web requests per month, company researchers see a fair amount of internet gremlins.

Over the past four days, 15 per cent of the blocked malicious traffic has come from just a few hundred sites, which appear to be legitimate ecommerce destinations that have been compromised by attackers. This prompted Landesman to do some digging, and what she uncovered is unlike anything she’s seen before.

For one thing, the sites themselves are hosting the malware, which is then foisted on visitors. Most of the time attackers are unable to gain such a high degree of control over the sites they hack, so they redirect end users to servers under the control of bad guys and use them to drop malicious payloads.

“I’m stumped,” Landesman says. “This is a very different method of infecting the user. I want to find out how they’re doing it and what is the common link between these sites.”

So far, Landesman and other researchers have found no visible thread that ties the disparate group of mom-and-pop sites together. With addresses such as dubai.travel-culture.com, operationultimategoal.com and directline-citybreaks.co.uk, the sites are mostly based in the UK, but some also hail from India, Brazil and elsewhere. They don’t use the same web host, and while most use web serving software from Apache, the versions vary widely, making it unlikely that attackers are exploiting a vulnerability in that program.

The outbreak coincides with another mass infection in progress that’s infected tens of thousands of pages, including those of Boston University, security provider Computer Associates, and agencies from the state of Virginia and the city of Cleveland. It infects websites running Microsoft’s Internet Information Server web program and the company’s SQL database with links the redirect users to servers in China. The malicious sites then try to install keylogging software and other nasties.

As massive as that infection is, it’s responsible for less than one per cent of the malicious traffic that ScanSafe has blocked over the past four days, a small fraction compared with the mystery sites Landesman is tracking.

The sites exhibit other intriguing characteristics. They attempt to infect visitors with a javascript file with a randomly generated name that changes each time a person visits the site. Accessing paddingtoncourt.com, for example, (we don’t recommend readers try this) might result in the insertion of a script referencing a file titled xxxxx.js, which is dynamically created at paddingtoncourt.com/xxxxx.js. A different visitor might encounter a file titled yyyyy.js served from paddingtoncourt.com/yyyyy.js.

The constant flux makes it impossible for researchers to access the script responsible for delivering the payload or running Google searches that might provide a more comprehensive list of other sites that might be affected.

The script looks for various vulnerabilities specific to the visiting OS, and when it finds one pulls a .Mov file from the domain dedicated.abac.net. That in turn invokes a file from bds.invitations.fr, which installs a backdoor on end users’ machines. Victims are unlikely to know they’ve been infected because the installation is clear and seamless, and the malware uses few PC resources. At last check, only three of 33 antivirus programs detected the malware, which appears to be a derivitive of the Rbot Trojan.

“This is pretty nasty,” Landesman says. “It’s a new type of compromise, and a pretty significant one.” And so far very little is understood about it.

Below is a more comprehensive (though not exhaustive) list of the sites identified as infected. If you can help shed some much-needed light on these attacks, please leave a comment below or contact your reporter using this link.

http://www.theregister.co.uk/2008/01/11/mysterious_web_infection/

Not sure if avast! is one of the three.

2

Quote from the same site:

Hello,

It’s a variante of Exploit.HTML.IESlice.h and Exploit.HTML.IESlice.p

Exploit different QuickTime vulnerabilties and America Online SuperBuddy ActiveX Control “LinkSBIcons()”, NCTAudioFile2, etc.

Regards.

3

That’s the exploit(s), which should be detected by avast!

I wondered about the payload, the Rbot variant.

4

Update: the exploit (or this variant at least) is not detected by avast!

I’ve sent the exploit to virus[at]avast.com.

Antivirus Version Last Update Result AhnLab-V3 2008.1.16.10 2008.01.15 - AntiVir 7.6.0.46 2008.01.15 HTML/Silly.Gen Authentium 4.93.8 2008.01.13 - Avast 4.7.1098.0 2008.01.14 - AVG 7.5.0.516 2008.01.14 Exploit BitDefender 7.2 2008.01.15 Trojan.Downloader.JS.Agent.ON CAT-QuickHeal 9.00 2008.01.15 - ClamAV 0.91.2 2008.01.14 - DrWeb 4.44.0.09170 2008.01.15 - eSafe 7.0.15.0 2008.01.14 JS.IEslice.aq eTrust-Vet 31.3.5459 2008.01.15 JS/SillyDlScript.DG Ewido 4.0 2008.01.15 - FileAdvisor 1 2008.01.15 - Fortinet 3.14.0.0 2008.01.15 - F-Prot 4.4.2.54 2008.01.14 - F-Secure 6.70.13030.0 2008.01.15 Exploit.HTML.IESlice.bz Ikarus T3.1.1.20 2008.01.15 Virus.Exploit.HTML.IESlice.bz Kaspersky 7.0.0.125 2008.01.15 Exploit.HTML.IESlice.bz McAfee 5207 2008.01.15 JS/Downloader-AUD Microsoft 1.3109 2008.01.15 Exploit:JS/Mult.K NOD32v2 2792 2008.01.15 - Norman 5.80.02 2008.01.15 - Panda 9.0.0.4 2008.01.14 - Prevx1 V2 2008.01.15 - Rising 20.27.12.00 2008.01.15 - Sophos 4.24.0 2008.01.15 Mal/ExpJS-D Sunbelt 2.2.907.0 2008.01.15 - Symantec 10 2008.01.15 Trojan.Webkit!html TheHacker 6.2.9.187 2008.01.13 - VBA32 3.12.2.5 2008.01.13 - VirusBuster 4.3.26:9 2008.01.15 - Webwasher-Gateway 6.6.2 2008.01.15 Script.Silly.Gen

Seems to be the one mentioned here:

http://www.webhostingtalk.com/showthread.php?t=651748

More info. here:

http://blog.scansafe.com/journal/2008/1/15/mom-pop-sites-hit-hard-by-host-compromise.html

5
According to independent reports released earlier this week by SecureWorks and Finjan, [b]10,000 or more websites are similarly infected. As of Tuesday, almost all of these were still infected.[/b] They are churning out malware, which preys on at least nine different vulnerabilities in programs such as the QuickTime media player, Yahoo! Messenger and Windows operating systems to install a backdoor on end users' computers.

http://www.channelregister.co.uk/2008/01/16/mysterious_web_infection_continues/

avast!: This is one definition you don’t want to take 10 weeks to add. Please.

"[b]The longer they will have the malicious code out there, the better the chances they'll infect people.[/b]"

Once the malware successfully finds an unpatched vulnerability, it installs the Rbot Trojan, or one of its variants. Many antivirus programs still fail to detect the exploit.

6
Poisoned websites attack visitors

Thousands of small web shops have been unwittingly poisoned with malicious code that infects PC users who visit.

Security experts said the sophisticated attack had succeeded on a larger scale than many other similar attacks.

Once installed on a Windows machine the malicious code steals passwords, browser data as well as login names for bank accounts and online games.

The attack is proving hard to defend against for both sites being hit and PC users who are caught out.

http://news.bbc.co.uk/1/hi/technology/7193993.stm

7

OK, I’m already really concerned about this. Even scanned all PC with Kaspersky online scanner to make sure avast not missed anything. ATM everything is OK. But, I hope here to see answer from anyone from alwil team. Is it really such a threat to be concerned about? ???

8

Not if your computer is up-to-date. :slight_smile:

9

Trying to keep it up-to-date as possible.

10

This one is still not detected despite being a current exploit. Why? ???

Antivirus Version Last Update Result
AhnLab-V3 2008.1.26.10 2008.01.25 -
AntiVir 7.6.0.53 2008.01.25 HTML/Silly.Gen
Authentium 4.93.8 2008.01.26 JS/IESlice.E
Avast 4.7.1098.0 2008.01.27 -
AVG 7.5.0.516 2008.01.26 Exploit
BitDefender 7.2 2008.01.27 Trojan.Downloader.JS.Agent.ON
CAT-QuickHeal 9.00 2008.01.25 -
ClamAV 0.91.2 2008.01.27 -
DrWeb 4.44.0.09170 2008.01.26 -
eSafe 7.0.15.0 2008.01.16 JS.IEslice.aq
eTrust-Vet 31.3.5486 2008.01.26 JS/SillyDlScript.DG
Ewido 4.0 2008.01.26 -
FileAdvisor 1 2008.01.27 -
Fortinet 3.14.0.0 2008.01.26 -
F-Prot 4.4.2.54 2008.01.26 JS/IESlice.E
F-Secure 6.70.13260.0 2008.01.26 Exploit.HTML.IESlice.bz
Ikarus T3.1.1.20 2008.01.27 Virus.Exploit.HTML.IESlice.bz
Kaspersky 7.0.0.125 2008.01.27 Exploit.HTML.IESlice.bz
McAfee 5216 2008.01.26 JS/Downloader-AUD
Microsoft 1.3109 2008.01.27 Exploit:JS/Mult.K
NOD32v2 2825 2008.01.27 -
Norman 5.80.02 2008.01.24 -
Panda 9.0.0.4 2008.01.26 -
Prevx1 V2 2008.01.27 -
Rising 20.28.60.00 2008.01.27 Hack.Exploit.Script.Agent.r
Sophos 4.25.0 2008.01.27 Mal/ExpJS-D
Sunbelt 2.2.907.0 2008.01.25 -
Symantec 10 2008.01.27 Trojan.Webkit!html
TheHacker 6.2.9.199 2008.01.26 -
VBA32 3.12.2.5 2008.01.21 -
VirusBuster 4.3.26:9 2008.01.26 -
Webwasher-Gateway 6.6.2 2008.01.27 Script.Silly.Gen

11

Well, one of my samples is detected now. I had thought they were both the same as other AV’s picked them both up with the same generic detection.

Better than nothing, I suppose. ::slight_smile:

Antivirus Version Last Update Result
AhnLab-V3 2008.2.2.10 2008.02.01 -
AntiVir 7.6.0.61 2008.02.01 HTML/Silly.Gen
Authentium 4.93.8 2008.02.01 JS/IESlice.E
Avast 4.7.1098.0 2008.02.01 VBS:Malware-gen
AVG 7.5.0.516 2008.02.02 Exploit
BitDefender 7.2 2008.02.02 Trojan.Downloader.JS.Agent.ON
CAT-QuickHeal 9.00 2008.02.01 -
ClamAV 0.92 2008.02.02 -
DrWeb 4.44.0.09170 2008.02.02 -
eSafe 7.0.15.0 2008.01.28 JS.IEslice.aq
eTrust-Vet 31.3.5504 2008.02.01 JS/SillyDlScript.DG
Ewido 4.0 2008.02.02 -
FileAdvisor 1 2008.02.02 -
Fortinet 3.14.0.0 2008.02.02 -
F-Prot 4.4.2.54 2008.02.01 JS/IESlice.E
F-Secure 6.70.13260.0 2008.02.01 Exploit.HTML.IESlice.bz
Ikarus T3.1.1.20 2008.02.02 Virus.Exploit.HTML.IESlice.bz
Kaspersky 7.0.0.125 2008.02.02 Exploit.HTML.IESlice.bz
McAfee 5221 2008.02.01 JS/Downloader-AUD
Microsoft 1.3204 2008.02.02 Exploit:JS/Mult.K
NOD32v2 2845 2008.02.02 -
Norman 5.80.02 2008.02.01 -
Panda 9.0.0.4 2008.02.02 -
Prevx1 V2 2008.02.02 -
Rising 20.29.22.00 2008.01.30 Hack.Exploit.Script.Agent.r
Sophos 4.26.0 2008.02.02 Mal/ExpJS-D
Sunbelt 2.2.907.0 2008.02.02 -
Symantec 10 2008.02.02 Trojan.Webkit!html
TheHacker 6.2.9.205 2008.02.01 -
VBA32 3.12.6.0 2008.02.02 -
VirusBuster 4.3.26:9 2008.02.01 -
Webwasher-Gateway 6.6.2 2008.02.02 Script.Silly.Gen

Antivirus Version Last Update Result
AhnLab-V3 2008.2.2.10 2008.02.01 -
AntiVir 7.6.0.61 2008.02.01 HTML/Silly.Gen
Authentium 4.93.8 2008.02.01 JS/IESlice.E
Avast 4.7.1098.0 2008.02.01 -
AVG 7.5.0.516 2008.02.02 Exploit
BitDefender 7.2 2008.02.02 Trojan.Downloader.JS.Agent.ON
CAT-QuickHeal 9.00 2008.02.01 -
ClamAV 0.92 2008.02.02 -
DrWeb 4.44.0.09170 2008.02.02 -
eSafe 7.0.15.0 2008.01.28 JS.IEslice.aq
eTrust-Vet 31.3.5504 2008.02.01 JS/SillyDlScript.DG
Ewido 4.0 2008.02.02 -
FileAdvisor 1 2008.02.02 -
Fortinet 3.14.0.0 2008.02.02 -
F-Prot 4.4.2.54 2008.02.01 JS/IESlice.E
F-Secure 6.70.13260.0 2008.02.01 Exploit.HTML.IESlice.bz
Ikarus T3.1.1.20 2008.02.02 Virus.Exploit.HTML.IESlice.bz
Kaspersky 7.0.0.125 2008.02.02 Exploit.HTML.IESlice.bz
McAfee 5221 2008.02.01 JS/Downloader-AUD
Microsoft 1.3204 2008.02.02 Exploit:JS/Mult.K
NOD32v2 2845 2008.02.02 -
Norman 5.80.02 2008.02.01 -
Panda 9.0.0.4 2008.02.02 -
Prevx1 V2 2008.02.02 -
Rising 20.29.22.00 2008.01.30 Hack.Exploit.Script.Agent.r
Sophos 4.26.0 2008.02.02 Mal/ExpJS-D
Sunbelt 2.2.907.0 2008.02.02 -
Symantec 10 2008.02.02 Trojan.Webkit!html
TheHacker 6.2.9.205 2008.02.01 -
VBA32 3.12.6.0 2008.02.02 -
VirusBuster 4.3.26:9 2008.02.01 -
Webwasher-Gateway 6.6.2 2008.02.02 Script.Silly.Gen