bit-tech.net

Web-based malware hits 40,000 sites

Web-based malware hits 40,000 sites

The newly-discovered web-based malware uses JavaScript to redirect visitors to a fake Google page before attempting to infect their systems.

The Internet just got that little bit more dangerous with the news that a new strain of malware is infesting websites with dodgy JavaScript – and has hit over 40,000 websites so far.

According to an article over on ComputerWorld quoting Internet security firm Websense, a large number of websites have fallen prey to the attack – and are attempting to infect the PCs of visitors.

The web resident malware uses JavaScript to redirect visitors to a fake Google Analytics page, which then attempts to make use of vulnerabilities in Internet Explorer and Firefox to install malicious code on systems that visit the site.

This malware is somewhat smarter than average, however: should the automated infection process fail – as would be expected on a fully-patched system – the site displays a warning that the PC is infected with malware which, amazingly enough, the site is able to cure if you would just download a free little program...

The root domain hosting the malicious code is hosted in the Ukraine, favourite hiding place of the criminal gang the Russian Business Network – a group which was thought to have dissolved some months back.

Although the initial infection vector is not known, it's thought that the 40,000 affected hosts were compromised by the traditional method: SQL injection attacks. The sheer volume of websites affected by the attack points to an automated system, rather than targeted attacks by individual crackers.

As usual, the advice is to ensure that you keep your system – and especially your browser – up to date in order to protect yourself from these threats. Firefox users can also make use of the NoScript addon – although this doesn't protect the gullible from the social engineering aspect of the attack.

Have you noticed any dodgy-looking 'Google' pages trying to convince you to download suspicious software, or is 40,000 infected sites merely a drop in the ocean and nothing to worry about? Share your thoughts over in the forums.

7 Comments

Discuss in the forums Reply
kenco_uk 4th June 2009, 13:50 Quote
I wish these sort of things would be done in a controlled environment.
WeWatchYourWebsite 4th June 2009, 14:25 Quote
We've seen the majority of these are located after the closing html tag in the file. You can locate the files on your PC if you search for unescape and then look at the code. If it's something you didn't put there, it could be either one of these infections (I'm not sure what they're called yet) or a martuz or gumblar type of malscript.

If it's a martuz or gumblar, it will probably be located after the closing head tag, but before the opening body tag.

That's been our experience anyway. YMMV
B3CK 4th June 2009, 18:14 Quote
Have had about 60 calls on virus showing up as goldrun, detected by malwarebytes-antimalware. So far only the customers with malwarebytes, and avira both installed are calling in. This all started yesterday, guessing this might be it? so far, we are just re-imaging, as none of the scanners we use seem to repair/remove the problem.
Jasio 4th June 2009, 18:17 Quote
Yeah, I've seen several sites infected with this; it's an iframe embedded worm originating from a series of Chinese servers. Pretty easy to block but nonetheless very annoying.
airchie 4th June 2009, 23:53 Quote
+1 for FF + NoScript tbh. :)
webdesignone 17th June 2009, 02:02 Quote
:(:'(I have been infected with malware that has infiltraited all of my web projects, in my entire ftp, I have cleaned our the nasty scripts, taken down all files and replaced them to clean out the ftp and all files, I have purchased over 300 in maleware tool removers and still the nasty thing is back. Any suggestions? We have purchased root kit cleaners everything to this point adn now it has infected yet still a second server and all files there as well. NEED HELP IN THE WOSRT WAY PLEASE.. you can email me direct with any suggestions Avast paid professional version, Norton paid pro , windows defender, and zone,has not helped. I need to be rid of this phising and redirect attackes anyone ??? Please !:(:'(
webdesignone 17th June 2009, 02:05 Quote
Quote:
Originally Posted by Jasio
Yeah, I've seen several sites infected with this; it's an iframe embedded worm originating from a series of Chinese servers. Pretty easy to block but nonetheless very annoying.

HI FELLOW CANADIAN I am having significant issue from this please email me I need advise . Ciao webdesignone
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.



Discuss in the forums