Servers optimize

Update on Trojans from multiple Web sites

Exploits that caused more than 10,000 Web sites to spew malware were orchestrated by a single gang.

Exploits that caused more than 10,000 Web sites to spew malware were orchestrated by a single gang.

An excerpt from PC World:

The latest problems show that the power of this particular hacking gang appears to be growing since it was identified early last year. At that time, Finjan said it found a number of Web servers that had been hacked in order to serve malicious code to visitors. The attackers used several methods to hide their tracks and infect a maximum number of PCs.

The fact that it affected an online advertising company extrapolated the exploit and has lead to malicious ad banners being served on legitimate sites.

Some key things to note about the exploit are:

  • The code is served only once to an IP
  • Serving legitimate content to known IPs, thus avoiding detection from search engine crawlers
  • The malicious JavaScript files are randomly generated and don't persist on a site

The attacks target several vulnerabilities to install malware on Web servers. The suggested mechanism to prevent infection is browser-based plug-ins. Services such as AVG's LinkScanner, McAfee's SiteAdvisor, and Finjin's SecureBrowser are recommended.

References:

Mom & Pop Sites Hit Hard by Host Compromise (ScanSafe)

6 comments
jdclyde
jdclyde

why you don't run JavScripts. They open up your system even though you have gone to the trouble of getting third party software to keep your MS product running. (AV/Malware scanners) ActiveX and JavaScripts are known weaknesses to your system. Why do businesses STILL allow them to be enabled?

brian.mills
brian.mills

The web-based systems I use in order to completely do my job use ActiveX, so I have to leave it enabled in my web browser just to do my job. I think corporate IT might have the settings locked down so I can't change them, too. Just like my screensaver. I want my 3d pipes, not the Windoze XP logo!

Dr Dij
Dr Dij

leave it for the internet? you may be able to leave it simply for your local zone enabled. Unless you work at home and don't vpn in, etc. and if firefox works, the add-in 'no-script' can selectively by site allow / disallow scripts. Don't know if there's a version for IE

Jaqui
Jaqui

just don't use windows and you don't have to worry about it.

Dr Dij
Dr Dij

they'll turn to their weblogs and see you, Jacqui accessing their website and figure out a way to infect your system. as I recall one of the first internet worms used a flaw in unix systems. they already found some bug for apples, and quicktime.

Neon Samurai
Neon Samurai

I'm 90% sure this is what took down a client of mine for most of the week. Publishing means Adobe which forces Windows. The scary thing is that the client is convinced the infection came in through SourceForge. I hate the idea of SoruceForge being one of the effected websites but I can see how the banners could be exploited closer to the ad company. Has there been a website list posted regarding this issue yet?