Hostile JavaScript Contaminating Different Websites

A large number of websites not related to each other have malicious scripts that tend to infect computers when the sites are open on their browsers. The contaminated malware attempts to exploits known flaws in Windows to download and install keylogger and backdoor trojans on the system, according to warnings of security experts.

The warning arises after the infection of Dolphin Stadium's Website with JavaScript-enabled Trojan having keylogging features. The site, which is to host Super Bowl, receives highly frequented visits. The Trojan in the site manipulated two Microsoft vulnerabilities that had been patched previously.

Marcus Sachs, director of the SANS Internet Storm Center posted a list of nearly 50 sites on a blog on February 4, 2007 that include in them the malicious script.

Sachs wrote that on February 2, 2007, his organization reported that the Dolphin Stadium Website became corrupt with a scripted indicator to malware that took advantage of two vulnerabilities in Windows for which Microsoft had issued patches. While researching on this malware, they discovered that many other sites had similar infections. He invited system administrators to check the flow of logs to their network to assess the traffic to their sites and also for any of the other five sites that hosted the corrupt JavaScript.

Sachs compiled a list of domains that facilitated site hacking and had connections with the same attack. Many of the domains host sites on medical care. While many of them have been cleaned and some even withdrawn Sachs and his associates think the attack could still be vibrant somewhere.

At least 50 websites became victims to the attack. However, all those sophisticated sites were rectified and restored and they no longer exposed visitors to risk, said Johannes Ullrich, chief research officer of SANS ISC.

SANS ISC is investigating what helped compromise of so many websites. The organization is on top job to find out if an un-patched version of Microsoft's Internet Information Server (IIS) software was running in each of the sites that enabled their compromise. Ullrich said there could be other factors as well such as some common content management system installed on the servers.

» SPAMfighter News - 2/13/2007