10,000-website Strong Malware Maze Created by Criminals

Stony Stevenson passed us an ITnews article about the newest scam in online crime. Some 10,000 web pages have been rigged by IT-minded criminals, with the aim of hijacking unsuspecting PCs. The site reports that the users are redirected through a maze of malware, all with the goal of gaining access to personal user information. "The reprogrammed web pages are probably victims of an automated attack that included scanning the internet for unsecured servers and planting a piece of JavaScript code that redirects to a site in China to serve up the malware. The malware cocktail attempts to exploit vulnerabilities in Windows, RealPlayer and other applications to break into the PC. A back door also allows the subsequent installation of additional malicious programs. McAfee Avert Labs first spotted the attack on 12 March. 'Of the 10,000 pages that were compromised a number have already been cleaned up,' the firm stated."

Re:Including Slashdot?

How about a pre-shipped white list. I know know there is whole bit of politics with who gets on the whitelist.

Pages != Sites

[mythosaz]

10,000 pages != 10,000 sites. ...unless the sites each only have one page.

Re:Including Slashdot?

[davidwr]

Far better is a mechanism where content from one server can be authenticated by another server.

For example, if http://www.foo.bar/ served up index.html, and http://authenticator.foo.bar/ served up an md5 hash based on its copy of index.html, an attacker would have to compromise both servers to fool the checksum.

This works well for static content. For dynamic content each piece would have to be checked independently. There are also other serious issues that would have to be worked out.

Your web browser could treat unauthenticated content as untrustworthy even if the site was otherwise trusted by the user.

Re:The Question Webmasters Have Is...

[whitehatlurker]

See the posting immediately previous to yours.

Yes, TFA is sparse on the details, but if this is the attack, it is detected by several anti-virus packages.

That rootkit is very stealthy. It might most easily be detected by watching your httpd server logs for random javascript files being served. Some details here.

Note: I don't know that the above is the exploit described in TFA. I believe this subject was discussed earlier on slashdot. It was in The Reg as well.

Re:The Question Webmasters Have Is...

[kesuki]

the funny thing is this isn't even the worst thing I've seen black hats use. There is this NASTY little exploit in windows that lets a CD-ROM be used to install automatic updates, when automatic updates ARE DISABLED.. think about this a little a cd-rom, CD-r, DVD-r, BD-R so what do you use to back up your data? blank dvds? did you ever notice that a disc left open 'gained' an extra session, somehow some where?
BAM huge exploit.. it's the one that got me. i was tied up for weeks trying to figure ways around this nasty virus, and how to not loose all my data... i had no internet and the dang root-kit kept coming back (there were flaws in the root-kit, that caused 'bugs' the big 3 are, 1. a recurrent error in chkdsk where windows keeps complaining about the volume bitmap being corrupted. This is not as reported, a flaw in chkdsk, but something the Root-kit does constantly to 'make all it's infected files completely invisible to rootkit and virus scanners' the only way to scan for those files, is to put the hard drive into a linux machine and 'find' the missing files you can detect the problem in windows though, you navigate to your
System Volume Information\_restore{(long number here)}\RP1 the RP1 folder is supposed to contain sequentially numbered temporary files, that are never deleted by normal means... so if you spot a 'numerical gap' in the files listed, you have the root-kit, to prove it pop the drive in a linux machine(or live cd) and the 'missing' numbered files are there, not deleted, not invisible, just 'not in the volume file bitmap' that's the easiest way to detect it, the second and third ways are less scientific, the second way I've detected it is by playing full screen games for many hours straight. if randomly over the course of 2-4 days the desktop shows in mid game for no reason... you have the root kit. sometimes it happens 3-5 times a day, but not always. the third indication doesn't always happen, but sometimes, the root-kit does something wrong, and autoplay gets disabled. usually this is related to frequent dvd movie usage. autoplay will still work on usb drives, but no longer on any optical drives... it's very wierd. in one case, it even screwed up the system so bad that '3 programs' installed on the system would 'set the default screen saver/power management settings back to their original windows defaults every 2 seconds' one of these programs was VLC media player, and frankly trying to watch a movie when the screen goes black every 20 minutes is ANNOYING...

if you have any of the above mentioned symptoms i'd recommend grabbing a live cd linux disc, and mounting the hd and looking in your System volume information folders for signs of files that are only readable under linux.