Hundreds of sites hit with dynamic malware

Hundreds of sites hit with dynamic malware

Summary: Around 230 UK-based Web sites have been hit by a new form of malware that is being delivered dynamically, security vendor ScanSafe says.

SHARE:
1

Around 230 UK-based Web sites have been hit by a new form of malware that is being delivered dynamically, security vendor ScanSafe says.

The malware being delivered ranges from backdoor trojans to rootkits, said ScanSafe researcher Mary Landesman.

The companies hosting the sites are being hit with dynamic modules of JavaScript that are proving very difficult to get rid of, according to Landesman.

"Even though the hosts are working diligently, their systems are being recompromised repeatedly," Landesman told ZDNet Australia sister site ZDNet.co.uk last week. "This is not just a matter of wipe and restore. The attack is extremely sophisticated."

The complexity lies in discovering how the hosting companies are being infected and reinfected, said Landesman, who declined to name the companies involved. ScanSafe is in the process of investigating the infection process, with security researchers from SecureWorks.

"The million-dollar question is how the [JavaScript] modules are getting onto the host server," said Landesman. "It's that initial entry we're still trying to figure out."

The researchers initially suspected reinfection to be the result of a rootkit-enabled Loadable Kernel Module planted on the host servers. However, Landesman said this is now looking less likely, as a number of the hosts rebuilt their Apache kernels, and suffered reinfection.

"There could be some underlying compromise, but a rootkit on the server is seeming less likely," said Landesman. "There could be a rootkit or backdoor on a managing workstation in the host."

Not only are the hosts being mysteriously reinfected, but the malware delivery process is itself dynamic, making detection via antivirus signatures difficult, said ScanSafe. When a user visits an infected site with JavaScript enabled on their browser, they are infected by JavaScript files with randomly assigned five-character names.

"Once they are in the door, the attackers are leveraging the promiscuous behaviour of modules on Apache servers to accept and run scripts -- they're responsible for controlling the impact of malware we're seeing on the Web sites," said Landesman. "The scripts are randomly generated."

The JavaScript files can infect users with up to a dozen exploits, including an Apple QuickTime Real-Time Streaming Protocol vulnerability, an older Microsoft Data Access Components vulnerability, as well as sophisticated trojans and rootkits, according to a post on the ScanSafe blog.

The randomly named and dynamically created JavaScript references and files are also randomly delivered, said ScanSafe. That delivery is not based on whether malware has been delivered to that user before; it will deliver the script to the same IP address multiple times.

Another piece of the puzzle is the high amount of traffic to infected sites, which ScanSafe describes as "unexpectedly high".

While 230 predominantly UK sites are known to be infected, exact numbers of infected sites and hosts are difficult to gauge, said Landesman.

Compromised sites in the past have predominantly had static iframe code pointing to malicious sites, served by a host. This makes it relatively easy to detect which hosts are infected, said ScanSafe, as a search on the contents of the HTML iframe results in a list of infected sites. However, in this attack the referenced JavaScript doesn't "exist" until the user accesses the page, and it doesn't persist on the site.

"We don't know how many hosts are infected," said Landesman. "An admin perusing the site looking for these rogue JavaScript files [on a host server] would not find any visible signs."

ScanSafe advised concerned businesses to inform users of the attack, and said that one possible workaround was to encourage users to disable JavaScript in Web browsers, even though this would severely limit Web functionality.

Another alternative is for users to scan search results using free tools such as ScanSafe's Scandoo beta, the company said.

Topics: Malware, Browser, Security

Tom Espiner

About Tom Espiner

Tom is a technology reporter for ZDNet.com. He covers the security beat, writing about everything from hacking and cybercrime to threats and mitigation. He also focuses on open source and emerging technologies, all the while trying to cut through greenwash.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

1 comment
Log in or register to join the discussion
  • iframe attacks infosaic

    All 3 hosting accounts I use said the same things...it's impossible for a linux server to be infected. It's just too rare and never happens.

    Type these 3 words into Google: iframe attcks infosaic ...then go to the 247 malware forum and you can see how many iframe and php attacks there were using javascript - then you'll know what the code looks like.

    They are gone now but it took over 2 months to get rid of them.
    anonymous