ScanSafe - Hackers Infected 57,000 Websites to Load Malware

ScanSafe, an online security company, has discovered that over 57,000 websites have been compromised in a campaign, which tried to load large amount of malicious programs on users' computers.

The security company states that a malicious iFrame has been used to infect the websites with the help of SQL injection. Thereafter, the malicious iFrame installs a cocktail of trojans comprising password stealers, downloaders and backdoors on the hijacked websites, according to Mary Landesman, Senior Security Researcher at ScanSafe, as reported by eWeek on August 24, 2009.

It has also been found that the iFrame leads a user to an exploit website, which downloads more malware and exploits taken from 7 separate domains hosting malicious software.

The exploits then load other damaging software like the keystroke logger, Gologger and a backdoor, which tries to establish a link with a China-hosted website.

Moreover, once the iFrame is installed, the script quietly downloads a malicious JavaScript from a0v.org that runs without drawing notice when users access any of the compromised sites.

Most of the results that search engines Yahoo and Google returned could not spot the threat in spite of a technology on both the websites, which should have stopped users from following malicious links.

Meanwhile, the websites affected comprised those of health care institutions like the New York Methodist Hospital, nursing and charitable services like sweetgrassvillagealf.com, howellcarecenter.com, morningsideassistedliving.com and foodsresourcebank.org, amongst others.

On August 21, 2009, ScanSafe alerted of the outbreak. It pointed out that approximately 55,000 websites had been affected. The malware, according to ScanSafe, is placed quietly, and it is now made to hit Windows computers only. Programs that are commonly attacked are Adobe PDF Reader, Adobe Flash, Apple's QuickTime, Real Player and WinZip.

While it isn't still evident which security flaws hackers are exploiting in this attack, computer users should patch their operating software and other programs on the desktops.

Bulk website compromises are not new, as during June 2009, Websense another security company identified the "Nine Ball" attack that compromised around 40,000 websites. ScanSafe detected a similar attack called "Gumblar in the beginning of this year."

Related article: Scansafe Claims that Malware Grew by 35% in April

» SPAMfighter News - 9/8/2009