Beladen infections plummet

By on

The number of sites infected with malicious code inserted by the Beladen injection has dropped significantly.

Websense Security Labs ThreatSeeker Network has detected a consistent decrease of sites infected with the malicious code over the past five days. It claimed that the decrease in infections is highly suspicious, and it believes that the infected hosts are still under the control of the attackers.


Websense said that it suspected that those behind the infections might be automatically removing the injected scripts, getting ready to launch a new injection campaign soon.


Meanwhile, Trend Micro claimed that analysis of the recent Gumblar attack that compromised thousands of legitimate websites was done through accessing web server files through stolen FTP credentials gathered by one of the final malware payloads of the same attack. It had been rumoured by ScanSafe, who originally reported on the attack, that this was the case, but it was not confirmed.


Technical communications spokesperson JM Hipolito claimed that an infection chain initiated by the malicious scripts HTML_JSREDIR.AE and HTML_REDIR.AC end with the download of TSPY_KATES.G into the affected system.


The data-stealer, TSPY_KATES.G installs itself as a driver on the affected system and monitors network traffic. It also steals FTP account information, which includes usernames and passwords.

Via this, Trend Micro claimed that Gumblar was able to compromise more sites than when it initially launched the attack.


Hipolito said: “Also, as opposed to SQL injections, inserting malicious scripts by actually accessing web server files are relatively harder to detect. Web administrators, most likely learning from last year's string of mass compromises, are already keen on watching the typical areas in websites where malicious scripts are possibly injected.


“However, unauthorised access by cybercriminals would enable them to place the malicious scripts where they won't be noticed, and in as many areas of the website as they want. This may explain the occurrence of malicious scripts in multiple pages of websites compromised by Gumblar.”

See original article on

Copyright © SC Magazine, US edition

Most Read Articles

Log In

|  Forgot your password?