Criminals Launched Massive Hacking Attack on Websites

After Gumblar, another major incident of hacking a massive number of websites has recently been detected by the security researchers at Trend Micro. Most importantly, it has also raised the concern to the same level as the previous one.

This latest incident of mass hacking initiating technique is identical to that of Gumblar, wherein a malicious IFRAME unsuspectingly embedded in an authentic site through JavaScript. According to Trend Micro, this IFRAME transfers to some other IFRAME that, in turn, runs malicious JavaScript.

The malicious code, on decoding, tries to link to the URLs in order to download some exploits codes that abuse the flaws on the site and establishes control over the site. Trend Micro has detected the hidden JavaScript as JS_DROPPER.LOK, whereas the links that initiate the exploits' download as TROJ_SHELLCOD.HT.

Successful exploitation, further leads to the downloading of some more malicious files detected as TROJ_MEDPINCH.A and TROJ_MEDPINCH.B by the security firm.

As per the security experts, TROJ_MEDPINCH.B links to some URLs so as to download information stealers - TSPY_LDPINCH.CBS and SPYW_IEWATCHER. While TROJ_MEDPINCH.A facilitates the downloading of another information stealer called TSPY_LDPINCH.ASG, which steals the users' account details.

This spyware illegally obtains user password, user names, and account as well as installation details of applications, viz. Opera Software, Mirabilis ICQ, INETCOMM Server, Trillian, The Bat! and Total Commander.

Although the incident made its occurrence just a few days after Gumblar, its domain goes without the mention of Gumblar.

It is noteworthy that the security firm ScanSafe found that the attack of Gumblar commenced in March 2009. In the attack, websites were hacked and malicious code was implanted on them. According to reports, the malware attacking the sites evolved from "gumblar.cn" domain - a China-based domain related to Latvian and Russian IP addresses which were sending malicious code from the British servers.

Moreover, as soon as the infected sites were cleaned, attackers substituted the malicious code with automatically generated and hidden JavaScript, which made it a tough task for security software to detect it.

Finally, the malicious URLs have already been blocked by Trend Micro and users are advised to patch their PCs so as to diminish the probability of any exploit.

Related article: Criminals Hack With More Evil Tactics

» SPAMfighter News - 6/8/2009