Broad Web Hack Hits Thousands of Servers
Saturday, November 8, 2008 14:35Posted in category Uncategorized
No Comments
Kaspersky Labs warned on Friday that hackers have launched a huge Internet hacking effort, posting malicious links on as many as 10,000 servers. The end result of the hack is that surfers may end up at a malicious server located in China, vvexe.com. Exploits are then used to launch an attack on the user’s machine.Norton Safe Web and StopBadWare.org have reports on that site.
Once again, if you're patched, and have up-to-date antivirus and security software, you would probably be safe from surfing to one of these sites. One question is: how are the websites being compromised, and Kaspersky hasn't managed to determine that yet. An earlier attack this year affected 1.5 million servers, so in comparison this is small, but the attack has just begun, Kaspersky warned.
How do the attacks work?As I said, Kaspersky still has not determined how the sites are being compromised, but there are two scenarios which they say are the most likely: using SQL injection or using accounts to the sites which had already been stolen. They also noted that one common factor is that the majority of the hacked sites run on some type of ASP engine.
The attackers add a tag to the html of hacked sites.
The link leads to Java Script located on one of six servers – these servers act as gateways for further redirecting of requests. We’ve identified six of these gateways and they’ve been added to the blacklist in our antivirus:Visiting one of the sites results in a secret redirect to a malicious server called vvexe.com which is located in China. Exploits are then used to launch an attack on the user’s machine.
- armsart.com
- acglgoa.com
- idea21.org
- yrwap.cn
- s4d.in
- dbios.org
If your machine is vulnerable to even one of these exploits, then it’ll be infected by another malicious program, Trojan-Downloader.Win32.Hah.a.
This Trojan is able to download yet more malicious programs – and details of these programs are in a dedicated configuration file on the vvexe.com site.
Today, we’ve seen three malicious programs being downloaded:
Trojan-GameThief.Win32.WOW.cer – a Trojan designed to steal account data from World of Warcraft accounts
Trojan-Spy.Win32.Pophot.gen – another spy program which steals data and also tries to delete a whole range of antivirus solutions
Trojan.Win32.Agent.alzv – this Trojan downloads yet more Trojan spy programs: Trojan-PSW.Win32.Delf.ctw, Trojan-PSW.Win32.Delf.ctx, Trojan-PSW.Win32.Delf.cty.
|
|
|
|
|
|
|
|
|
|
|
|
|
  Loading ... |
Follow any responses to this post RSS 2.0 feed.
You can leave a response, or trackback from your own site.