Slashdot Mirror
10,000-website Strong Malware Maze Created by Criminals
Stony Stevenson passed us an ITnews article about the newest scam in online crime. Some 10,000 web pages have been rigged by IT-minded criminals, with the aim of hijacking unsuspecting PCs. The site reports that the users are redirected through a maze of malware, all with the goal of gaining access to personal user information. "The reprogrammed web pages are probably victims of an automated attack that included scanning the internet for unsecured servers and planting a piece of JavaScript code that redirects to a site in China to serve up the malware. The malware cocktail attempts to exploit vulnerabilities in Windows, RealPlayer and other applications to break into the PC. A back door also allows the subsequent installation of additional malicious programs. McAfee Avert Labs first spotted the attack on 12 March. 'Of the 10,000 pages that were compromised a number have already been cleaned up,' the firm stated."
It's over 9000!
It's a trap!
Absolute power corrupts absolutely. indymedia
Maybe not today, but tomorrow?
Seriously, it's time to seriously sandbox web browsers and have "no extensions" by default with overrides on a per-page, per-session basis allowed.
In addition to sandboxing, browsers should ship with NoScript or equivalent functionality built-in.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
...then we wouldn't be having these problems.
Absolute power corrupts absolutely. indymedia
...how do we check our sites to ensure that this code has not been planted. The article gives no clue at all. It doesn't even identify if is platform or technology specific, etc. Just that someone else has set up a huge botnet.
Even sysadmins and webmasters that use best practices and diligently patch, etc. can be gotten because there are always undisclosed holes that are utilized. In fact, were I in that game and I figured out something to defeat security, it would keep it under my ragged black hat and never share that info.
Isn't it about time to just isolate china for all this activity? Can't we just start banning whole ranges of IP addresses the way ISP's do?
"Often you hear warnings about not going to untrusted sites," said Craig Schmugar, threat researcher at McAfee Avert Labs... That is good advice, but it is not enough. Even sites you know and trust can become compromised."
In the old days it was easy to avoid malicious sites. Now even your neighbor could be the terrorist... err..I mean.. even sites you know and trust can become compromised.
At least this threat researcher offered a calm analysis with plenty of advice about how to avoid such attacks without recoiling from the web in fear.
MUST BUY MCAFEE...
of the server that is owned and run by the criminals. Isn't this what Tactical Nuclear Weapons were designed for?
You are likely to be eaten by a script kiddie.
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
What number? One? two? 17? 8000?
Give me Classic Slashdot or give me death!
You can just have anything that tries these IP addresses go to a blackhole.
Why not just disallow redirection and loading of off-domain/off-host data from scripts?
Disabling scripts entirely disables dangerous behavior, sure... But is also disables lots of desirable functionality that most people want.
10,000 pages != 10,000 sites. ...unless the sites each only have one page.
The article doesn't make it clear. This is a vulnerability in Windows, or in IE?
It can be go tiem now plees?
From now on, whenever someone posts something they claim is 'obligatory,' we should point out, "You keep using that word. I do not think it means what you think it means." Dueling memes, what fun!
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
It reminds me of that Eddie Izzard bit in "Dress To Kill" where he talks about how we as a society abhor serial killers but when we start to get even into the hundreds or thousands or millions we're like, "well done!" that's impressive! In an odd morbid sort of way... I mean, you hear about worms and crap like that or the oddball who hacked A system... but to create a "maze" of over 10k sites?? Well, uh... impressive!
At least, it's news to me.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
First, people figured out that in order to hijack people's PCs for "bot net" purposes, they could try to trick them into installing a program that would slip it in, along with the desired program being loaded. But along came all the "spyware cleaner" packages, that could identify and remove the malware, leaving the originally desired software installed and running.
... the "evil doers" had to escalate things further.
So the next trick was to try to make removal difficult or impossible by infecting a PC with a "downloader virus". That way, the virus itself would try to avoid detection, but silently download and install spyware from various sites around the world. The user might figure out he/she was infected with the spyware and try to clean it with a remover, but it would keep coming right back, as the original virus kept re-downloading the stuff.
This led to popular anti-virus packages starting to blur the lines between spyware and virii (in cases where the company in question didn't have a specific anti-spyware product ready to sell you). They'd just attempt to clean ALL of the stuff up. Others wanted you to run 2 distinct programs together to protect against both types of threats. In any case, all of this confused a lot of people -- but also made them catch on that a lot of this stuff appeared to be impossible to clean ONLY because of that "downloader trojan horse" trick.
After they started "wising up" and unplugged their Inet connections while doing all the virus and spyware removal
The current ploy of injecting the stuff from normally benign web sites is pretty much the "next logical step" for them. Doesn't surprise me a bit. I think we'll continue to see more and more of this, too. After all, this attack has several vectors. DNS server entries could be spoofed, redirecting people to fake sites. Web servers with security flaws could be compromised, and modified code loaded directly onto them. Or maybe, legitimate sites will unwittingly host infected ad banners down their pages, paid for by "advertisers" with motives other than really caring if you view the ad's visible content?
I discovered my site had a directory and just under 2500 pages added to it. The directory and file dates are January 9th 08 and every one of the html files has the same script code in it. My research turned up indication of two mass site hacks in January.
A google search for threeseas.net/blogger/log/cache/ (cache being the directory that contained the files [past tense]) shows up about 4500 site pointing to one of the files in that directory. Some of the findings are even sourceforge sites and you can tell they have been hacked as well. In other words there are a lot of hacked sites besides mine.
I notified google this morning and my host has already removed the files from my site as the owner and group were set that I couldn't do this myself.
anyways rather that posting the code, a check sum would be better of the code starting with teh word "function" to the end of the code.
What are you trying to highlight in the word patriot? If it's the word 'riot,' I suggest that you stop capitalizing the initial P, because it just comes out as PRIOT, which isn't... you know... anything.
Just a heads up, there, Dingus.
It makes you wonder what the next logical step after this one is, doesn't it?
Personally, I suspect that we will start seeing DNS cache and Route poisoning attempts become much more commonplace. Particularly after the whole "YouTube gets 'knocked offline' because of an improper route broadcast by a piss-ant totalitarian country" issue we had in recent weeks.
I would bet good money that there were criminals rubbing their hands together with glee over the idea of dumping MILLIONS of users to a malware server simultaneously. Or using that type of exploit as a blackmail tool.
What do you think the next logical step is?
Official Heretic from the "Church of Global Warming". Proven right thanks to whistle blowers. AGW = Flat Earth Theory
McAfee Avert Labs described the assault as "one of the largest attacks to date of this kind".
The attack serves as a reminder that even trusted websites can be malicious, McAfee warned.
"Often you hear warnings about not going to untrusted sites," said Craig Schmugar, threat researcher at McAfee Avert Labs."That is good advice, but it is not enough."
McAfee Avert Labs first spotted the attack on 12 March.
I wonder who can sell us some sort of software to guide us out of this maze of evil webpages?
series of twisted, tangled, and altogether screwed up tubes
Those of us who think they know everything annoy those of us who do.
Then it would be like 911 times a thousand!
That's right. 911,000!
Appended to the end of comments you post. 120 chars.
You're doing it wrong; the internet is for porn.
http://www.xkcd.com/354/
Oh...wait.
Nevermind.
Good luck, lads.
These stories are free but worth money.
Comment removed based on user account deletion
Would someone please identify the person(s) who are trying to make 'meme' another buzzword?
I would appreciate their email addy if you can manage that as well.
I've had to put up with 'Absolutely' in the 90's and now 'meme' for the next decade, as well as iAddyourwordhere.... for just too long.
Don't be apathetic. Procrastinate!
Hey,
:).
I've noticed through some search terms found on Google Trends that there are bunches of apparently fake "blogs" on blogspot. Here's an example:
http://forniagill.blogspot.com/2008/03/what-time-is-it.html
Clicking on the "what time is it scandal" "video" redirects toward a site Firefox flags for malware downloading (even though I'm on Linux -- thank you 'Fox
There seem to be hundreds of these random malware blogs out there. Is this an old phenomenon? Thx.
sigfault (core dumped)
If McAfee (and others) really wanted to solve this "problem", then they would have to do little more than TELL US what the domain name, IP address, etc. of the offending server was!
If we knew that, we could reject any requests from there at the application OR server level, or even both.
And when they move to a new server, same thing. Of course, it would be helpful to have signature(s) of the code as well, but let's STAMP OUT the immediate problem, then worry about potential problems.
I know the "security" companies are commercial interests. But there are times when responsibility toward your community trumps making an enormous profit.
so, given I rarely if ever need to see Chinese servers, is there a list which I can use to generate a firewall access list and block all outbound access to Chinese servers?
I think the next step should be; EVERYONE Install Linux or Buy a Mac. At once. Problem Temporarily solved and time that will be needed in order to implement the NEXT next logical step will be bought. Of course, the NEXT next logical step is to kill every last one of these bottom feeding scum suckers in the face.
This signature is lame.
...do any of these exploits specifically target Linux? If not, then this is a nonevent for me.
Operation Guillotine is in effect.
Because, of course, as OS X marketshare increase, its security will weaken... Oh wait that doesn't make any sense.