Websense: UN, UK sites compromised by JavaScript injection

Websense: UN, UK sites compromised by JavaScript injection

Summary: Websense on Tuesday said that the UN and UK government sites are being attacked in a mass JavaScript injection attack.According to Websense:Websense Security Labs has been tracking a recent development of the malicious JavaScript injection that compromised thousands of domains at the start of this month, just 2-3 weeks ago.

SHARE:

Websense on Tuesday said that the UN and UK government sites are being attacked in a mass JavaScript injection attack.

According to Websense:

Websense Security Labs has been tracking a recent development of the malicious JavaScript injection that compromised thousands of domains at the start of this month, just 2-3 weeks ago. The attackers have now switched over to a new domain as their hub for hosting the malicious payload in this attack. We have no doubt that the two attacks are related as our brief analysis below will explain. In the last few hours we have seen the number of compromised sites increase by a factor of ten.

This mass injection is remarkably similar to the attack we saw earlier this month. When a user browses to a compromised site, the injected JavaScript loads a file named 1.js which is hosted on http://www.nihao[removed].com The JavaScript code then redirects the user to 1.htm (also hosted on the same server). Once loaded, the file attempts 8 different exploits (the attack last April utilised 12). The exploits target Microsoft applications, specifically browsers not patched against the VML exploit MS07-004 as well as other applications. Ominously files named McAfee.htm and Yahoo.php are also called by 1.htm but are no longer active at the time of writing.

Is it just me or are hack attacks against governments becoming the norm?

Topics: Software Development, Open Source, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

5 comments
Log in or register to join the discussion
  • No, It's not just you.

    I've been noticing this trend for a couple of months now. Unfortunatly it's not only the .Gov sites that are getting hit. It appears however, that at least the .Gov sites are some of the few who are activly checking their site with some regularity. But many other sites have been comprimized as well. I've found News sites to be particularly vunerable, as, I would suppose, because of their popularity. Also (far too) many sites are only concentrating on gettting their information out as quickly as possible. (including ads, as those ads bring in money) At least now we can see how this is happening, or at least one of the vectors. Thanks for the info. -d
    dawgit
  • Govt employing cheapest staff

    That'll be why
    fr0thy2
    • Another brilliant one...

      You just keep coming out with them!

      I suppose your limited knowledge of the IT world prevents you from noticing that most government sites are outsourced these days.

      If one has a close look at the price of some of these deals, they are by no means the cheapest, in fact, some of these arrangements are outright larceny.

      Try a trick -- before you open your mouth next time -- check some facts, THINK for at least 10 seconds before posting...
      Marty R. Milette
  • RE: Websense: UN, UK sites compromised by JavaScript injection

    It is not just the government sites that are being attacked. They are just the ones that are being reported because it adds to the sensationalism.

    The attack is the standard mass malicious javascript attack with 8 different payloads instead of the previous 12. The exploit uses a Google search to find unpatched servers to run against. It then injects code into varchar fields in the database to point to the Chinese payload site. Visitors to rendered webpages are then automatically executing the java code, connecting to the Chinese server and downloading the payload.

    The fact that government sites are being attacked does indicate to me that for all of the tax dollars being spent by governments on cyber-security, they can't fix a vulnerability that is 18 months old and their developers can't follow best practices for coding which have existed since 1996.
    Antimidas
  • RE: Websense: UN, UK sites compromised by JavaScript injection

    It seems that, in this form of attack, the web page becomes altered and the html file delivered to the browser has the inserted javascript included which the client browser then runs.

    Are any of the 'anti-virus' software packages able to detect and warn of the problem? I use AVG and it pre-scans the web page to warn of problems but I don't know if AVG can detect this particular problem.
    hthinrichs