20,000 sites hit with drive-by attack code

20,000 sites hit with drive-by attack code

Summary: Hackers have broken into more than 20,000 legitimate Web sites to plant malicious code to be used in drive-by malware attacks.According to a warning from Websense Security Labs, the sites have been discovered to be injected with malicious JavaScript, obfuscated code that leads to an active exploit site.

TOPICS: Security, Malware

Hackers have broken into more than 20,000 legitimate Web sites to plant malicious code to be used in drive-by malware attacks.

According to a warning from Websense Security Labs, the sites have been discovered to be injected with malicious JavaScript, obfuscated code that leads to an active exploit site.

The company discovered that the active exploit site uses a name similar to the legitimate Google Analytics domain (google-analytics.com).

This is unrelated to the Gumblar attack, Websense said.

This mass injection attack does not seem related to Gumblar. The location of the injection, as well as the decoded code itself, seem to indicate a new, unrelated, mass injection campaign.

The exploit site has been seeded with several different attacks targeted unpatched software vulnerabilities.  The malware that gets loaded on compromised Windows machines is linked to scareware/rogueware (fake security applications).

Malware purveyors have increasingly turned to legitimate Web sites to launch attacks, using SQL injection techniques to compromise and hijack high-traffic sites.

According to data from MessageLabs, about 85 percent of Web sites blocked for hosting malicious content were 'well-established' domains that have been around for a year or more.

Topics: Security, Malware

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • So what are some of the sites?

    Somewhere there should be a list (full or partial by popularity) of the sites that were hit, shouldn't there? It doesn't do a whole lot of good to just read "20,000 sites hit..." without knowing what they are!
    • Sites

      I agree....what's the point of posting if the sites aren't included.
      • Enlightenment

        I would like to know, too, but they aren't listed at the source, either.

        The article is something I can use to back me up. Early this year our web hosting service had been compromised somehow (I don't remember the details). The guy in charge of managing our web site (who is not a programmer and can only make minor updates) forwarded the message and reassured everyone that, since we don't process credit card information, we had nothing to worry about. Scary, huh?

        I replied with some links about stuff just like this article. Next day, he got us all new, strong FTP passwords and had at least looked to see if any new files had shown up on our server.
    • So what are some of the sites?

      I totaly agree, at least give some of the better known sites!
      • Yep

        This doesn't sound like ZDNet at all. Not only does this scary topic fall short on data, it seems to be a total waste of human energy, a waste of space, and totally void of meaning.
        • I suddenly cannot connect to Amazon.com

          I don't know if Amazon was hit, but out of the blue last week I get a cannot connect error when i try to access Amazon.com either directly or through a link. Some other sites I have visited I notice a lack of funtionality with clicking on buttons to perform actions. My PC is always on and another on my network isn't. That one still works and will connect. I also run NIS 2009 currently updated as well as a malware scanner. Nothing shows up in any type of scan.
          • do you use internet explorer or firefox browsers?

            are you using windows xp sp2 or sp3

            i've had the same amazon problem using both ie7
            and firefox browsers, but i've had the problems
            for 2 months..so i don't think there's a
            connection to this article

            best solution to prove it's not malware is to
            try connecting to amazon with google chrome
            browser...worked for me when the others didn't
            and still don't


            i think my problem is related to zone alarm
            security suite/firewall etc...it crashes itself
            on ie7 and firefox, but not on google
            chrome...do you use zone alarm products?

            it's fine to have multiple browsers as long as
            you only activate/use one at a time

            if your problem turns out not to be fixed with
            google chrome browser, i would recommend
            scanning for malware with different software
            than you typically use...while it's true using
            more than one anti-viri product can cause
            problems itself, i've found two you can use "on
            demand"/NOT background...each turned up lots of
            malware zone alarm missed...safest way to use
            these is in safe mode:

            1) malwarebyte's anti malware free edition


            2) SUPERAntiSpyware free edition from


            both are excellent free editions that have great
            user reviews

            good luck...it's rough living without amazon
          • amazon

            I have no problems connecting here at work.
            I haven't tried at home for a while. I use Comodo now, instead of Zone Alarm at home.
          • Do you use internet explorer or firefox browsers?

            To answer the title I've used FF since Jan. /05. I use IE only when I have to.

            Try a different firewall. I've read that the home Zone Alarm isn't that great. Try this one: http://www.shorewall.net/

            Shorewall is the default firewall for Mandriva. Why not just use Mandriva and get away from MS.?

            Interested Amateur

          • No problem here

            I use IE6 on Win 2000 and had no trouble ordering books on ubuntu last week (I also just installed ubuntu last week also). In fact IE6 on Win 2000 works better than Firefox 3 on ubuntu works better so I kept it as a dualboot but I don't have a problem on most sites with the Firefox either.
          • Perhaps...

            ...it's because you're using the wrong browser.


            Mihi Nomen Est
        • That's just Ryans writing

    • They don't know

      They are just reporting what they got from Websense. If you look at the link in the story - the first link (to securelabs.websense) shows a screen shot of some code injected. They don't list the sites either. Maybe this is being withheld because the sites probably cleaned up the mess and are no longer infected (or at least they should be), and avoiding them would only cause loss of revenue.

      The time to tell us who they are is at the time of detection, but sometimes that's too late. "After the facts" don't help a whole lot to stop people from going there. Since hackers pride themselves for being "ahead of the pack" so to speak, once they've been found out and reported, they are already on to a new "game".
      library assistant
    • Definitely an HYPED up Post

      Wasting precious time!

      Well, where is the damn data. Expecting to find some data instead of your usual shitty tv news lines. This kind of low click collecting schemes puts me off specially coming form ZDNET.

      Non-technical people always produce hype beyond expectation. They are not aware that there are sites on the web that are totally insecure. It is logical that out of millions of sites 20,000 is really a piss in the ocean in terms of statistics of this kind.
  • RE: 20,000 sites hit with drive-by attack code

    Good question and where are they injecting the sql
  • RE: 20,000 sites hit with drive-by attack code

    This article is very poorly written. List the sites!
    • Reality check time...

      Can to name anyone who is going to read through a list of 20K+ websites? You might also want to consider that by the time the article is published, quite a few of the infected sites will have been cleaned and other sites will have been infected.
      • Why read when you can scan

        Obviously no one would read such a list! You just search it to see if the site(s) you care about are on it. You must be a newbie to technology - or you would have thought of that.

        • Yeah - scan an out of date list

          Why do you want a list even m/c readable scannable. It will get out of date with both sites that should be removed because cleaned and sites that should be added as recently corrupted. There are providers of regularly updated blacklists if you want them.

          better, use real time scanners like explab linkscanner or BlackListDoctor.

          ... and who are you to call someone a newbie because of a reasonable comment - don't like your tone.
          Salty C
  • RE: 20,000 sites hit with drive-by attack code

    not only do we need the sites, but we need to know how they are injecting it and what to look for. is it a sql injection? comments? is it based on wordpress or other types of blogs? how is it happening? is it only windows based hosts with mssql (lol) or does it affect mysql?