Beladen Infected Websites Take to Radical Decline
ThreatSeeker Network of Websense Security Labs has discovered that there is a steady decline in the number of websites infected with a malicious code planted by the Beladen injection during June 7-12, 2009. According to the company, there is a major suspicion surrounding this decline as it believes that the infected hosts continue to be under the attackers' control.
Outstandingly, the Beladen attack infected about 40,000 website by 3 June 2009, as reported by SCMagazine. Much like the Gumblar assaults that ScanSafe reported in May 2009, it is thought that the Beladen hijacks are an outcome of stolen FTP credentials. Understandably, it's distributing 'scareware' or rogue antivirus.
Owing to the malevolent code, any user viewing any of the hijacked Internet sites is redirected two times - once towards a site, which captures statistical information transmitted to the hacker, and again to the Beladen website which delivers the malware. Notably, these redirections are spaced with just milliseconds of time.
In the meantime, the security researchers say that the Beladen.net domain name is not really new and it has been in existence since June 2008. Although the security experts declared Beladen.net as malicious long time back, it is only lately that the domain has been involved in the new, bulk injection attack.
The Websense researchers state that Beladen.net tries to infect computers via third-party software along with older, flawed browser editions. Nevertheless, it is not yet clear what browser flaw is involved. It is believed that the flaw possibly is in a content management utility, a blogging/forum application, or a web framework that provides a base for the websites' construction.
Moreover, the researchers state that the unexpected decline in the Beladen infected websites suggests that the perpetrators are likely eliminating the injected code in an automatic way, preparing to stage a fresh campaign of code-injection soon.
» SPAMfighter News - 22-06-2009