ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

20,000 sites hit with drive-by attack code

By | June 1, 2009, 6:50am PDT

Summary: Hackers have broken into more than 20,000 legitimate Web sites to plant malicious code to be used in drive-by malware attacks. According to a warning from Websense Security Labs, the sites have been discovered to be injected with malicious JavaScript, obfuscated code that leads to an active exploit site. The company discovered that the active exploit site [...]

Hackers have broken into more than 20,000 legitimate Web sites to plant malicious code to be used in drive-by malware attacks.

According to a warning from Websense Security Labs, the sites have been discovered to be injected with malicious JavaScript, obfuscated code that leads to an active exploit site.

The company discovered that the active exploit site uses a name similar to the legitimate Google Analytics domain (google-analytics.com).

This is unrelated to the Gumblar attack, Websense said.

This mass injection attack does not seem related to Gumblar. The location of the injection, as well as the decoded code itself, seem to indicate a new, unrelated, mass injection campaign.

The exploit site has been seeded with several different attacks targeted unpatched software vulnerabilities.  The malware that gets loaded on compromised Windows machines is linked to scareware/rogueware (fake security applications).

Malware purveyors have increasingly turned to legitimate Web sites to launch attacks, using SQL injection techniques to compromise and hijack high-traffic sites.

According to data from MessageLabs, about 85 percent of Web sites blocked for hosting malicious content were ‘well-established’ domains that have been around for a year or more.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Malware, Attack, Exploit Site, Spyware, Adware & Malware, Cyberthreats, Security, Viruses And Worms, Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a member of the global research and analysis team. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?
Ask a Question Start a Discussion
72
Comments
Add Your Opinion

Join the conversation!

Just In

RE: 20,000 sites hit with drive-by attack code
birumut Updated - 2nd May 2011
Well done! Thank you very much for professional templates and community edition
seslisohbet seslichat
View in thread
0 Votes
+ -
So what are some of the sites?
elliemk@... 1st Jun 2009
Somewhere there should be a list (full or partial by popularity) of the sites that were hit, shouldn't there? It doesn't do a whole lot of good to just read "20,000 sites hit..." without knowing what they are!
0 Votes
+ -
Sites
Gloey 1st Jun 2009
I agree....what's the point of posting if the sites aren't included.
0 Votes
+ -
Enlightenment
MichP Updated - 1st Jun 2009
I would like to know, too, but they aren't listed at the source, either.

The article is something I can use to back me up. Early this year our web hosting service had been compromised somehow (I don't remember the details). The guy in charge of managing our web site (who is not a programmer and can only make minor updates) forwarded the message and reassured everyone that, since we don't process credit card information, we had nothing to worry about. Scary, huh?

I replied with some links about stuff just like this article. Next day, he got us all new, strong FTP passwords and had at least looked to see if any new files had shown up on our server.
0 Votes
+ -
So what are some of the sites?
radavid 1st Jun 2009
I totaly agree, at least give some of the better known sites!
0 Votes
+ -
Yep
bill_stanley@... 1st Jun 2009
This doesn't sound like ZDNet at all. Not only does this scary topic fall short on data, it seems to be a total waste of human energy, a waste of space, and totally void of meaning.
0 Votes
+ -
I suddenly cannot connect to Amazon.com
jhand47201 1st Jun 2009
I don't know if Amazon was hit, but out of the blue last week I get a cannot connect error when i try to access Amazon.com either directly or through a link. Some other sites I have visited I notice a lack of funtionality with clicking on buttons to perform actions. My PC is always on and another on my network isn't. That one still works and will connect. I also run NIS 2009 currently updated as well as a malware scanner. Nothing shows up in any type of scan.
0 Votes
+ -
do you use internet explorer or firefox browsers?
rroberto18 2nd Jun 2009
are you using windows xp sp2 or sp3

i've had the same amazon problem using both ie7
and firefox browsers, but i've had the problems
for 2 months..so i don't think there's a
connection to this article

best solution to prove it's not malware is to
try connecting to amazon with google chrome
browser...worked for me when the others didn't
and still don't

http://www.google.com/chrome/

i think my problem is related to zone alarm
security suite/firewall etc...it crashes itself
on ie7 and firefox, but not on google
chrome...do you use zone alarm products?

it's fine to have multiple browsers as long as
you only activate/use one at a time

if your problem turns out not to be fixed with
google chrome browser, i would recommend
scanning for malware with different software
than you typically use...while it's true using
more than one anti-viri product can cause
problems itself, i've found two you can use "on
demand"/NOT background...each turned up lots of
malware zone alarm missed...safest way to use
these is in safe mode:

1) malwarebyte's anti malware free edition
from

http://www.malwarebytes.org/products.php

2) SUPERAntiSpyware free edition from

http://www.superantispyware.com/download.htm

both are excellent free editions that have great
user reviews

good luck...it's rough living without amazon
0 Votes
+ -
amazon
dhays Updated - 3rd Jun 2009
I have no problems connecting here at work.
I haven't tried at home for a while. I use Comodo now, instead of Zone Alarm at home.
0 Votes
+ -
Do you use internet explorer or firefox browsers?
interested_amateur@... Updated - 3rd Jun 2009
To answer the title I've used FF since Jan. /05. I use IE only when I have to.

Try a different firewall. I've read that the home Zone Alarm isn't that great. Try this one: http://www.shorewall.net/

Shorewall is the default firewall for Mandriva. Why not just use Mandriva and get away from MS.?
http://www2.mandriva.com/linux/one/

Interested Amateur


0 Votes
+ -
No problem here
The_Quietman 2nd Jun 2009
I use IE6 on Win 2000 and had no trouble ordering books on ubuntu last week (I also just installed ubuntu last week also). In fact IE6 on Win 2000 works better than Firefox 3 on ubuntu works better so I kept it as a dualboot but I don't have a problem on most sites with the Firefox either.
0 Votes
+ -
Perhaps...
Mihi Nomen Est 2nd Jun 2009
...it's because you're using the wrong browser.


wink

0 Votes
+ -
That's just Ryans writing
dennis.london@... 8th Jun 2009
ROFLMAO!!!!
0 Votes
+ -
They don't know
library assistant 1st Jun 2009
They are just reporting what they got from Websense. If you look at the link in the story - the first link (to securelabs.websense) shows a screen shot of some code injected. They don't list the sites either. Maybe this is being withheld because the sites probably cleaned up the mess and are no longer infected (or at least they should be), and avoiding them would only cause loss of revenue.

The time to tell us who they are is at the time of detection, but sometimes that's too late. "After the facts" don't help a whole lot to stop people from going there. Since hackers pride themselves for being "ahead of the pack" so to speak, once they've been found out and reported, they are already on to a new "game".
0 Votes
+ -
Definitely an HYPED up Post
0zcan 1st Jun 2009
Wasting precious time!

Well, where is the damn data. Expecting to find some data instead of your usual ****** tv news lines. This kind of low click collecting schemes puts me off specially coming form ZDNET.

Non-technical people always produce hype beyond expectation. They are not aware that there are sites on the web that are totally insecure. It is logical that out of millions of sites 20,000 is really a piss in the ocean in terms of statistics of this kind.
0 Votes
+ -
RE: 20,000 sites hit with drive-by attack code
litewerx 1st Jun 2009
Good question and where are they injecting the sql
0 Votes
+ -
RE: 20,000 sites hit with drive-by attack code
lboyer4@... 1st Jun 2009
This article is very poorly written. List the sites!
0 Votes
+ -
Reality check time...
DNSB 1st Jun 2009
Can to name anyone who is going to read through a list of 20K+ websites? You might also want to consider that by the time the article is published, quite a few of the infected sites will have been cleaned and other sites will have been infected.
0 Votes
+ -
Why read when you can scan
rfalck@... 1st Jun 2009
Obviously no one would read such a list! You just search it to see if the site(s) you care about are on it. You must be a newbie to technology - or you would have thought of that.

Rick
0 Votes
+ -
Yeah - scan an out of date list
Salty C 2nd Jun 2009
Why do you want a list even m/c readable scannable. It will get out of date with both sites that should be removed because cleaned and sites that should be added as recently corrupted. There are providers of regularly updated blacklists if you want them.

better, use real time scanners like explab linkscanner or BlackListDoctor.

... and who are you to call someone a newbie because of a reasonable comment - don't like your tone.
0 Votes
+ -
RE: 20,000 sites hit with drive-by attack code
theriginalgeekmom 1st Jun 2009
not only do we need the sites, but we need to know how they are injecting it and what to look for. is it a sql injection? comments? is it based on wordpress or other types of blogs? how is it happening? is it only windows based hosts with mssql (lol) or does it affect mysql?
0 Votes
+ -
So, how does it work?
oyearian 1st Jun 2009
Indeed. My greatest concern is to establish whether we have been infected. We are most definitely "well established" by this definition.
0 Votes
+ -
They use legitimate tools for their evil purpose.
phatkat 1st Jun 2009
They use web scanners to look for any Microsoft IIS website and then launch an Microsoft SQLserver attack on that network until they break in and insert their malicious code into the SQLserver.
I seen these attacks on my firewall even though we don't run MS IIS and SQLserver but they are very persistent so if you don't patch the MS IIS and SQL server practice good security standards you will be vulnerable to this type of attack. Recently I seen less of them so I think they stop attacking randomly and started to search only for MS IIS and SQLserver system and target them only.
0 Votes
+ -
Corrections
honeymonster Updated - 2nd Jun 2009
These attacks target PHP (typically run on Unix servers with MySQL as the database).

You may have seen attempts at injecting MS SQL at your site, but SQL injection attacks are by no means restricted to a single database type.

SQL injection vulnerabilities are application vulnerabilities, not database vulnerabilities.

If a SQL injection vuln exists in an application it really doesn't matter what the underlying database system is. It can typically be used for both information disclosure as well as data injection.

It also matters little whether you've patched the database - unless the SQL access allows the attacker to perform a blended attack and completely take over the server. Even so, it is always good style to run an up-to-date patched server.

Just realize that these rounds seems targeted against PHP, perhaps even something more specific like WordPress. So far no indication of neither IIS nor MS SQL.
0 Votes
+ -
What platform?
cfischer83@... 1st Jun 2009
Is there a common software used for each of these sites? Are they all wordpress, Joomla etc? Is it MySQL, SQL Server? I find it hard to believe that they would take the time to do 20,000 different hacks. There must be some common factor in each of these attacks.
0 Votes
+ -
PHP. See below. (nt)
honeymonster 1st Jun 2009
0 Votes
+ -
re
d.bharath 1st Jun 2009
The injection attack is mainly on domain using
wordpress. In wordpress we need to provide 777
(normally hosting people tell that 755 is enough
but its not working) for theme folder so they
insert through browser theme editor. If you
notice all are with iframe which direct you to
.cn websites which appears to host malware ?
software that can hurt your computer or
otherwise operate without your consent. If we
block .cn domain the there won't be any problem.

you can check malware site in below list

http://www.malwaredomains.com/
0 Votes
+ -
RE: 20,000 sites hit with drive-by attack code
bkang22@... 1st Jun 2009
Great headline to catch our eye but a shame they do not give a list of the sites!
0 Votes
+ -
Who, What, When, Where, and How!
jgwinner 1st Jun 2009
Basic journalism ...
0 Votes
+ -
Um... check the links in the story
library assistant 1st Jun 2009
They are only reporting that it happened. Go to the first link in the story to get what little other details are available (a webshot of infected code). Websense doesn't list the sites either.
0 Votes
+ -
Web-no-sense
vikingnyc@... 1st Jun 2009
Websense is not the foremost authority on this issue AT ALL. My company uses a Websense system supposedly to prevent NSFW website access by staff on company computers. I've lost count of the number of times that POS system has blocked access to stuff I needed to read to do my job, or (hysterically) let me into sites that were definitely NSFW.
0 Votes
+ -
RE: 20,000 sites hit with drive-by attack code
DumbTube 1st Jun 2009
"A Huge explosion hit the downtown area, killing 300
people and injuring many more. The Head of State said
that as a result, the Country was now 'AT WAR' with
the Perpetrators. All citizens are advised to keep a
look out for people with potential explosive devices.
People who live within the 'Smug Zone' have not been
affected by this outrage ..."

Great reporting. Great Alert - really useful
Information.
0 Votes
+ -
RE: 20,000 sites hit with drive-by attack code
chuck@... 1st Jun 2009
So what is 20,000 X ^2?
be very very afraid
0 Votes
+ -
Warning: Content-free article
andy88488 1st Jun 2009
Wow, thank you for passing on virtually content-free links. I SO need ZDnet to add NOTHING at all to a story.
0 Votes
+ -
Turn it off
mswift@... 1st Jun 2009
So other than disabling Java (along with Quicktime and scripting) and/or turning off the internet, what should we do?
0 Votes
+ -
How about
honeymonster 1st Jun 2009
So other than disabling Java (along with Quicktime and scripting) and/or turning off the internet, what should we do?

Writing a complaint to the EU?
0 Votes
+ -
Use real time checking when surfing
Salty C 2nd Jun 2009
explab's linkscanner will warn when trying to access a site with obfuscated scripts that look like the exploits inserted in these attacked but otherwise innocent sites - I am sure that there are other similar scanners. Most up to date AV will also warn / block when affected sites are browsed.

The problem is for the server and site maintainers to detect and prevent attempts to corrupt their web sites. The servers need malware protection and tight permissions and the users need to protect ftp passwords and control panel passwords for example.
0 Votes
+ -
For the love of god, tell us how and what platforms this affects !
rsmith187 1st Jun 2009
I don't care whose sites were affected, just tell me if it's ASP.NET, PHP, CFM, or what ... Websense does no service by posting javascript code without any analysis of how the exploit is performed and what we should look for!
0 Votes
+ -
It's obfuscated JavaScript code. It affects compromised Windows machines
InAction Man 1st Jun 2009
1) Windoze user visits exploit site (in this case exploit site uses a name similar to the legitimate Google Analytics domain: google-analytics.com)

2) Windoze machine gets loaded with malware that links to scareware/rogueware (fake security applications).

3) Windoze user gets scammed once more.

The executed malware file has a very low AV detection rate.
0 Votes
+ -
Are you missing the point ?
Salty C 2nd Jun 2009
That is (one example of) what happens when joe public visits a compromised site.
The point is that innocent sites are being attacked and altered so that visitors are sent to what you call the exploit site by usually an iframe or redirected link on the attacked web page.
0 Votes
+ -
yeah focus on "windoze"
jqheller 3rd Jun 2009
Yeah the end result affects windows yet the primary route of infection is via PHP.

Funny how so few articles about Gumblar focus on that. If the SQL injection exploit was for ASP.NET or MsSQL that would be in all the article headlines.

For some reason PHP is getting a pass in all of this.

0 Votes
+ -
Good "head's up"
CaptnMorgan 1st Jun 2009
I'm actually relieved to see this message. As
a web designer and web host who has been
battling these attacks on sites of varying
language (programming), content, age, and
popularity, I'm glad to know I'm not alone, and
that this is a bigger issue than I once
thought.

Hopefully the community came come together to
find a way to thwart off these attacks better,
and to protect the site visitors.
0 Votes
+ -
Agree.
Salty C 2nd Jun 2009
I agree. Same situation here.
0 Votes
+ -
RE: 20,000 sites hit with drive-by attack code
gertruded 1st Jun 2009
How can anyone still justify running Windows on the internet?

This is getting really bad.
0 Votes
+ -
You're an unhelpul clown
johnmckay 1st Jun 2009
Please go away and read some other stuff that intersts you; and stop bothering the rest of us.

We're basically a happy lot that use a product that meets our overall objectives.

We don't claim to be gods or blessed with higher intelligence based on the purchase of another brand. Unlike some others.
0 Votes
+ -
Remember the story of the scorpion and the frog?
MGP2 1st Jun 2009
It ended with the scorpion saying "I'm a scorpion. It's my nature."

Now, turn that around to gertruded. The answer is "I'm a troll. It's my nature."

See, you'll never see some of these people in non-Windows blogs, interacting with people who SHOULD be their peers. No. They get no satisfaction from that. They only get satisfaction from going into the blogs of products they don't have and toss around negativity. That's how they get their jollies. So, when you say "stop bothering the rest of us", rest assured, about the only answer they can give is "I'm a troll. It's my nature."
0 Votes
+ -
A Freudian Slip?
InAction Man 1st Jun 2009
blog about insecure software = blog about windoze
0 Votes
+ -
A frog will croak
Ole Man 1st Jun 2009
about his presumed superiority and popularity, every time.

Never fails!
0 Votes
+ -
Thank you!
MGP2 1st Jun 2009
I'm sure Infected Man and GertRUDEd probably don't recognize themselves in that statement. But we do.
0 Votes
+ -
Take off your Microsoft blinders.
kozmcrae 1st Jun 2009
The World looks very different. By the way MGP2, there's more than one of us. Should latch on to you too?
0 Votes
+ -
You're welcome!
Ole Man 1st Jun 2009
You need a mirror to view the culprit, but all croaks and guesses are welcome.
0 Votes
+ -
RE: 20,000 sites hit with drive-by attack code
birumut Updated - 2nd May 2011
Well done! Thank you very much for professional templates and community edition
seslisohbet seslichat

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix