Poorly implemented sites blamed for latest malware infection

This latest round of malware, which targets open source phpBB applications, comes on the heels of last week's series of SQL injection attacks affecting more than 4,000 web pages based on Microsoft's ASP and .NET technologies.

"The bad guys' level of sophistication has grown to where they can now find websites that have been poorly implemented, and find them in automated ways," Paul Ferguson, network architect, Trend Micro, told SCMagazineUS.com on Tuesday.

The problem, said Ferguson, is that users are simply downloading readily available apps to add blogs, forums and other Web 2.0 technologies to their sites, and they are not following general security guidelines.

"So the bad guys can cast a wider net. They're exploiting vulnerabilities," he said.

Once loaded onto a PC, the malware redirects users to a site that asks them to download a codec for free porn.

"It's human nature that people fall for this," Ferguson said.

But the difference between this type of social engineering and previous attacks is that in the past, via an email, there was human intervention. In this latest generation, this exploit is automated and requires no human interaction, he said.

This particular infection chain is capable of keylogging and of scooping up login credentials. Ferguson said his team observed online service provider logins on Tuesday morning.

"What the end-game is is unknown," Ferguson said. But the follow-on effect could be widespread.

"Once a PC is infected it is under the control of someone other than the owner," he said.

These attacks are always driven by a financial motive, he added.

"We've seen what we believe to be some of the same players we've seen before," Ferguson said. "They're using some of the same IP addresses in this multi-tiered infection chain."

And, though the trail is long and obfuscated, he and his team detected a server in China that is routing to servers in the United States.

It has to be a criminal gang behind the attacks, Ferguson said.

"The attacks are too big, too well organised and too well planned to be the work of a single individual," he said.

And, this new phpBB attack shows that the criminals are more adept, he said. He expects their capabilities to only become more frequent with a broader reach.

As far as a solution, users should follow traditional best practices, Ferguson said. It's vital to have the latest patches for software and the operating system.

And this doesn't just mean monthly updates from Microsoft, he added. It means keeping third-party software up to date as well.

"It's an ongoing effort to keep desktops patched properly."

Ferguson also advised that anti-virus and anti-spam be kept up to date.

"It also helps to run reputation services or URL blocking, which can block known malicious URLs," he said.

See original article on scmagazineus.com

Copyright © SC Magazine, US edition

blamedforinfectionlatestmalwaresecuritysites