Posted on 03/13/2008 2:45:38 PM PDT by JerseyHighlander
Hackers launch massive IFrame attack Gregg Keizer
March 13, 2008 (Computerworld) Hackers using a new scam continue to subvert hundreds of thousands of Web pages with IFrame redirects that send unwary users to malware-spewing sites, researchers said today.
The attacks, which began about a week ago, show no signs of slowing, said Dancho Danchev in a posting to his blog yesterday. "The group is continuing to expand the campaign," said the Bulgarian researcher. "These are the high-profile sites targeted by the same group within the past 48 hours, with the number of locally cached and IFrame-injected pages within their search engines."
Danchev listed more than 20 sites that together account for more than 401,000 IFrame-injected pages. The sites include high-profile sites such as the North Carolina State University library, the U.S. Administration on Aging and the U.S. government's Medicare program, as well as questionable sites such as BitTorrent sites hosting pirated software and other content.
The attacks "just keep growing," said Ben Greenbaum, a senior research manager at Symantec Corp.'s security response team. Greenbaum explained the attacks, which are not strictly site compromises, use the search-result caches that these sites maintain.
Likely relying on an automated tool to do the dirty work, the hackers add IFrame code to the saved search results on the sites, Greenbaum said. The next visitor that uses the search tool is then redirected to another Web site by the IFrame code. The second site in turn puts up a message telling the user that a new codec (coder/decoder) needs to be installed. Accepting the codec takes the user to still another site, which actually hosts the malware -- a new variant of the Zlob Trojan horse -- and installs it on the victim's PC.
"There are multiple levels of redirection going on here," said Greenbaum.
In his posting Wednesday, Danchev said he had identified more than 100 bogus .info domains that were acting as the second-stage redirectors.
Trace it back far enough, and the path leads to the Russian Business Network (RBN) -- a notorious organization that hosts criminals' Web sites and provides them with domains from which they can launch their attacks. "What this means is that known Russian Business Network net blocks are receiving all the rerouted DNS queries from infected hosts, thereby setting up the foundations for a large-scale pharming attack," said Danchev.
"This tactic of poisoning recent search results in legitimate sites is new as of the last week or so," said Greenbaum. "But there are lots of things we can do to prevent this."
If users reject the bogus call to install the codec, the string is broken, and no harm can come to them. Web site operators, on the other hand, can take a number of steps, including properly sanitizing all user input or not caching previous searches.
But Danchev was more pessimistic that the attacks could be halted quickly. "To sum up -- it's a mess," he said.
Today I had a customer affected by this and when I walked in my door the first email I got was a warning from ComputerSecurity.com security alert regarding it.
Worth a tech ping.
Uh Oh.......:o)
Are there really regular users of the internet who click on installers after a re-direction? Jeez.
Not a pretty thing!
I know, because I used to use it a lot.
“Incompetents attacked again” “Employers waste resources for social preferences”
IFrames stink. Frames stink. PHP stinks. Java stinks. Javascript stinks.
I’m assuming that this affects only Windows?
So why is it that any RBN servers can’t be blacklisted?
OHHHH yes. I'm sure there are many.
The article doesn’t seem to say, but your guess may be correct...
Yeah, scary.
Malicious hackers should be sentenced to aversive conditioning that keeps them from being able to handle computers for a few years.
More info and a list of sites known to be affected so far
http://ddanchev.blogspot.com/2008/03/more-high-profile-sites-iframe-injected.html
NCSU Libraries - lib.ncsu.edu - 372,000 pages
FullDownloads.us - fulldownloads.us - 13,000 pages
Central Statistics Office Ireland - cso.ie - 10,300 pages
DBLife Frontpage - dblife.cs.wisc.edu - 1,130 pages
School of Mathematics and Statistics - www-history.mcs.st-andrews.ac.uk - 1040 pages
eHawaii Portal - ehawaii.gov - 992 pages
The World Clock - timeanddate.com - 944 pages
Boise State University - boisestate.edu - 471 pages
The U.S. Administration on Aging (AoA) - aoa.gov - 425 pages
Gustavus Adolphus College - gustavus.edu - 312 pages
Internet Archive - archive.org - 261 pages
Stanford Business School Alumni Association - gsbapps.stanford.edu - 157 pages
BushTorrent - bushtorrent.com - 147 pages
ChildCareExchange - ccie.com - 131 pages
The University of Vermont - uvm.edu - 120 pages
Hippodrome State Theatre - Gainesville, FL - thehipp.org - 112 pages
Minnesota State University Mankato - mnsu.edu - 94 pages
The California Majority Report - camajorityreport.com - 16 pages
Medicare.gov - medicare.gov - 12 pages
USAMRIID - usamriid.army.mil - 3 pages
I had this happen on one of my computers a couple of months ago. That Zlob trojan is really nasty.
Well, so much for browser security. If the hacker wants malware on someone's system, he just needs to ask to install something and they do.
Define "regular users" these days. I never click on anything out of the ordinary. I don't install anything that I haven't been specifically looking for. Even if a website I'm trying to access wants me to install something, I'm not going to do it. Even if it were something like: Flash, Reader, or Java; I would go directly to the proper sources for those.
No, far too many Joe Sixpacks out there without a clue. And they, sadly, are regular users of the net, which is why we have these problems. That and well, Microsoft's insistence on letting every user run IE with ActiveX turned on, and Admin privileges.
I got a US-CERT bulletin on this today at work and actually called them for clarification. The alert is still vague, but they said there should be clarification SOON. Thanks for the heads-up though! :-)
What you said.
We went with option #1, plus Blue Coat. It seems that Sophos signatures already have the malware identified and I’ve tested that the appliances are stopping it.
Hey...Sweetie is e-mailing you with an answer to you question. :-) ...check your e-mail. :-)
bttt
Ya’ll are Saints !
Thanks !
Aw shucks. :-) ...it’s the least we can do! :-)
Thanks for the heads up.
Wow... those last two will probably assure that whomever is doing this WILL eventually be found though...
Well so much for your being able to predict what other human beings will do ;-) but sounds like you know your stuff otherwise (I sure don’t!).
Cyrano probably understands what you’re talking about better. (@post 20)
I too noticed the glaring lack of information on exactly who could be affected by this.
I can assure you, though, if Linux or Mac users were affected, they'd be screaming it everywhere you look.
ping
I’m assuming that this affects only Windows?I too noticed the glaring lack of information on exactly who could be affected by this.
I can assure you, though, if Linux or Mac users were affected, they'd be screaming it everywhere you look
. . . just as certainly as that Big Journalism would be belaboring Eliot Spitzer's political affiliation with the Republican Party if he were not in fact a Democrat.
According to numerous reports, it's Linux servers that are being infected and then exposing their users to attack. Sites known to be affected are tv.com, mysimon.com, cnet.com, and trendmicro.com, which according to website tracker Netcraft are all running Linux.
This isn't really surprising, since according to the world's website defacement tracker Zone-H, Linux is by far the most hacked webserver operating system, and has been for years.
So long as the server hosting your website files doesn’t get compromised you should be fine.
Thanks for the help.
I made that particular page to help truckers on the road search for fuel prices. They use it from their desktop.
So, will local security be enough?
From what I’ve read, the hacked iframes are being injected on up to thousands of pages on the compromised websites, and are thought to be an automated process to infect so many pages in such a short time. So your website host is what must remain secure, for once it is compromised none of the pages kept there, including yours, are necessarily safe. All of the info I’ve seen so far indicate it is only servers that use the Apache webserver, although research is still ongoing, but if your hosting provider is using Apache you are likely a higher risk for compromise. I’ve also seen an example of the hacked iframe, although it’s not available to link, but if you get it it will be very unusual and contain many numbers to disguise the function.
Thanks again. I guess, since I don’t host it, it would depend on the servers of the sites it accesses then. In which case, there would be nothing I can do, that I know of.
Only Internet Explorer on Windows, to be more exact.
Correct, if you’re hosting your site on servers maintained by others, you’re dependent on them to deflect attacks and protect your site for you. Choose wisely, or if you prefer to maintain it yourself, plan on investing a lot more time and possibly money to secure it on your own. Most importantly, no matter where you host, keep good backups. Hope this helps, thanks.
Well, thanks. I don’t run a server. I just use a Linux desktop.
According to all reports the Linux/Apache servers are what are being compromised and serving as the host for any subsequent attacks, which typically aren’t limited to IE and can be Firefox or Opera on the unsuspecting clients as well.
From what I read, it doesn’t work well with Firefox, because you need to have ActiveX for the virus to be installed automatically.
The servers are almost all Apache servers, but there are a few IIS sprinkled in.
They’re targeting big hosting operations, and seem to be sniffing passwords.
According to this article, the infected servers attempt to infect clients with “a new variant of the Zlob Trojan horse”:
http://www.linuxworld.com.au/index.php/id;26001482
Per Wikipedia, Zlob can also affect Macintosh and redirect them to other malicious sites as well:
http://en.wikipedia.org/wiki/Zlob
Another article describing iframe attacks used against Macs via Quicktime vulnerabilities:
http://www.crn.com/security/204601027
After reading that link more carefully, it doesn’t specifically claim that Macs are vulnerable to the Quicktime iframe issue, but that Firefox is a faster conduit than IE.
We can hope the Mac users aren’t stupid enough to click to agree to allow an unknown and untrusted downloaded application to run and then type in an administrator’s user name and password to allow the thing to install, but stupid has no limit.
Of course in any work environment the users won’t have the admin password, so this would have no effect there. Even a home installation from the dumbest person would still have him clicking to agree to run an unknown and untrusted downloaded application and then type in the admin password. But it can happen.
And, yes, the Mac rocks. You may be happy to know that since I have BSD in front of me to satiate my desire to use UNIX, I haven’t played with Linux in a while (if you don’t count using my web hosting service).
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.