A nest of poisoned Web sites has been quietly attacking unsuspecting visitors using an arsenal of thirteen different exploits. If the site visitor has javascript enabled and is vulnerable to any of those exploits, then in no time at all their system will be compromised with a Trojan not yet recognised by many popular anti-virus packages. Once it’s taken root the Trojan relays collected information such as credit card, bank account, and login details back to its master. Most won’t be surprised by any of this. It seems living with the threat of Worms, Trojans and Bots is becoming an everyday thing to which everybody thinks they are immune. Unfortunately more of us are more vulnerable than we think–sure your anti-virus definitions may be up to date, but that doesn’t help if the vulnerability being used to take over your machine is as of yet unknown. Apparently only three of the thirty three top anti-virus products caught the Trojan being installed in this instance.

It seems the Web sites infected so far have not been compromised in themselves, but rather it’s the servers hosting them. Reading ScanSafe’s STAT blog, I was interested to see that there is some question as to how the hosting servers were being manipulated. The belief is that a kernel-based root-kit is used to keep the compromised systems open to the attackers after the initial infection. ScanSafe noted that a few hours after making configuration changes to one of the infected servers, those changes mysteriously reversed themselves.

The infected groups of servers are running various different flavours of Linux, hosting many different versions of Apache. This means it’s unlikely that the root vulnerability is in Apache. The servers are not all owned by one hosting company so direct infection via physical interference is unlikely. One piece of software which is common to all of the infected hosts is cPanel–ScanSafe think this is significant, but not necessarily the root source of compromise.

Reading through a hefty comments section on this subject over on The Register, I found the point of weakness is still a mystery. Some people are blaming out of date software and poor system administration while others are pointing towards something more serious than a few easy to ‘brute force’ passwords.

I’ll certainly be interested to find out how these servers were compromised. It could be no more than a case of a few hacked servers; on the other hand, if the root compromise was the result of an unknown vulnerability in multiple versions of PHP or Apache, then this could be the tip of an epidemic!