Slashdot Mirror

← Back to Stories (view on slashdot.org)

10,000-website Strong Malware Maze Created by Criminals

Posted by Zonk on from the i'm-sure-you'll-come-out-fine dept.

Stony Stevenson passed us an ITnews article about the newest scam in online crime. Some 10,000 web pages have been rigged by IT-minded criminals, with the aim of hijacking unsuspecting PCs. The site reports that the users are redirected through a maze of malware, all with the goal of gaining access to personal user information. "The reprogrammed web pages are probably victims of an automated attack that included scanning the internet for unsecured servers and planting a piece of JavaScript code that redirects to a site in China to serve up the malware. The malware cocktail attempts to exploit vulnerabilities in Windows, RealPlayer and other applications to break into the PC. A back door also allows the subsequent installation of additional malicious programs. McAfee Avert Labs first spotted the attack on 12 March. 'Of the 10,000 pages that were compromised a number have already been cleaned up,' the firm stated."

4 of 118 comments (clear)

  1. more informative article here by esocid · · Score: 3, Informative
    The name for the rootkit is random js toolkit which seems pretty uninventive to me.

    The random js attack is performed by dynamic embedding of scripts into a Web page. It provides a random filename that can only be accessed once.
    So does the infected computer then inject something into websites the user visits or is that done by whoever designed this little rootkit?
    --
    Absolute power corrupts absolutely. indymedia
  2. Re:It's called a hosts file by Se7enLC · · Score: 3, Informative

    This was the information that should have been included in the article. A link to the McAfee Avert Labs Blog:

    http://www.avertlabs.com/research/blog/index.php/2008/03/12/another-mass-attack-underway/

  3. can anyone tell me the checksum of the code? by 3seas · · Score: 5, Informative

    I discovered my site had a directory and just under 2500 pages added to it. The directory and file dates are January 9th 08 and every one of the html files has the same script code in it. My research turned up indication of two mass site hacks in January.

    A google search for threeseas.net/blogger/log/cache/ (cache being the directory that contained the files [past tense]) shows up about 4500 site pointing to one of the files in that directory. Some of the findings are even sourceforge sites and you can tell they have been hacked as well. In other words there are a lot of hacked sites besides mine.

    I notified google this morning and my host has already removed the files from my site as the owner and group were set that I couldn't do this myself.

    anyways rather that posting the code, a check sum would be better of the code starting with teh word "function" to the end of the code.

    1. Re:can anyone tell me the checksum of the code? by element-o.p. · · Score: 3, Informative
      From TFA:

      Signaturing a dynamic script is not effective. Signaturing the exploiting code itself is also not effective, since these exploits are changing continually to stay ahead of current zero-day threats and available patches.

      Sounds like it would be rather difficult to get a checksum for you, sorry.
      --
      MCSE? No, sir...I don't do Windows. Yes, I am an idealist. What's your point?