Cocktail of Malicious JavaScripts and Confusing Codes Results in Attack Sites

Researchers at security company Websense alerted on May 29, 2009 of a vicious infection, which potentially loading a malware mix on end-users' computers, has disseminated to around 30,000 online sites that government agencies, businesses and other types of organizations run.

The infection pushes poisonous JavaScript into the sites' home pages, possibly through the exploitation of a common program that results in an SQL injection, analyzed manager of security research Stephan Chenette at Websense. TheRegister published this on May 30, 2009.

Chenette added the injected SQL code is so crafted that it appears like a Google Analytics script, while it employs confusing JavaScript that makes the code's detection difficult.

Furthermore, the malevolent payload quietly connects the end-users accessing the contaminated sites to remote servers, which monitor those end-users' computers. Subsequently, it tries to abuse at least one of the ten un-patched vulnerabilities affecting those end-users' systems. If no vulnerability is found, the server, however, produces a pop up that warns of a supposed infection on the PC so that the user can be tricked into loading a fake anti-virus.

The fake AV, says Websense, employs polymorphic tactics so that its signatures can be constantly changed, enabling it to escape identification by a legitimate AV. Since it employs confusing JavaScript, the legitimate AV fails to detect the same that also eludes spotting through Google searches that hunt for a common variable or string on the web.

Moreover, Chenette said for an ordinary user, it would be hard, if not impossible, to figure out the activities of the code.

State the security researchers that the infection is quite similar to the Gumblar attack, which involves a malady on bulk websites. For, it also pushes confusing JavaScript into authorized websites to facilitate attack against visiting computers. Websense estimates that till now, it has proliferated to around 60,000 sites.

However, the JavaScript performs differently in the two cases prompting Websense researchers to conclude that the attacks are unconnected.

Meanwhile, regarding the new infection, the researchers stated that the hackers were being clever as they duplicated the tactics of previous threats that kept their tracks concealed.

» SPAMfighter News - 6/5/2009