A large-scale hack of legitimate Web sites to infect visitors' PCs is much more massive than first thought, researchers said Friday. At least 10,000 sites have been compromised, and have hijacked unpatched systems that steered to their URLs.
On Monday, Mary Landesman, a senior security researcher at ScanSafe Inc., said that she had uncovered hundreds of sites which had been hacked and were feeding exploits to visitors. Friday, Don Jackson, a senior researcher with Atlanta-based SecureWorks Inc., said the number was considerably larger.
According to ScanSafe's data, approximately 10,000 sites hosted on Linux servers running Apache, the popular open-source Web server software, have been hacked, most likely with purloined log-in credentials. Those servers have been infected with a pair of files that generate constantly-changing malicious JavaScript. When visitors reach the hacked site, the script calls up an exploit cocktail that includes attack code targeting recent QuickTime vulnerabilities, the long-running Windows MDAC bug, and even a fixed flaw in Yahoo Messenger.
If the visitor's PC is unpatched against any of the nine exploits Jackson listed, it's infected with new variant of Rbot, the notorious backdoor Trojan he called "a very nasty piece of software." The end result: The PC is added to a botnet.
Jackson's can't prove how the sites were originally hacked, but all the evidence points to the theft of log-on credentials; one reason why he came to that conclusion is that hosts that have been cleaned of the infection -- or in some cases even had Linux reinstalled -- are quickly reinfected.
"There was no sign of brute forcing [of passwords] just prior to the infection," said Jackson, "but attackers hosting companies are hit all the time with password attacks. It's part of doing business."
Earlier in the week, Landesman of ScanSafe drew a link between the security breach at U.K.-based Fasthosts Ltd., that country's largest Web hosting vendor, and the site hacks, saying then that the domains ScanSafe had found infected had, or had recently had, a relationship with Fasthosts.
More...
Ron