Nine Ball Website Compromises Hit Over 40,000 Sites

According to Websense, its Security Labs ThreatSeeker Network has uncovered another bulk code-injection attack on the web following the Gumblar and Beladen attacks.

The security firm states that a massive attack, called Nine Ball, has compromised over 40,000 websites by injecting malicious code into pages and diverting visitors to a website serving keylogger and Trojan programs.

Websense, which has been monitoring Nine Ball for more than seven days, says each of the hijacked sites infested with malicious code will first attempt to find a visitor and then with IP address try to find if the visitor is repeating his visit.

Further, the websites trying to bypass security investigators and researchers, who could possibly be repeated visitors, will deposit all such visitors into the Ask.com search-engine site.

Stephan Chenette, Security Research Manager at Websense, says that Ask.com is not harmful. It is just where a visitor, seen a second time, is sent, as reported by Network World on June 16, 2009. Chenette notes that this kind of scrutiny and diversion is becoming a routine exercise in website attacks to elude detection.

If a visitor to a website is new, then he is driven with additional diversions to www.nine2rack. According to Websense, this website is possibly based in Ukraine.

However, the final peril for a site victim is an attempt to infect him with a drive-by download following malware examinations for security flaws within the browser, Quicktime or Adobe software running on the end-user's computer. For a successful attack, a keylogger and a Trojan will be downloaded that several antivirus programs have still not been able to recognize, says Websense.

Besides, a lot of these trojans are polymorphic or created in haste. There are several security failures that could aid Nine Ball in compromising such a huge number of websites such as SQL-injection assaults against vulnerable websites as well as bot-infected PCs that have captured website administrators' logins or users' passwords.

Meanwhile, Websense believes the people behind Gumblar and Beladen might also be responsible for Nine Ball.

Related article: Non-chargeable Firewalls, Better Defense Than Paid-for Ones

» SPAMfighter News - 6/26/2009