iTnews

"Nine-Ball" mass injection attack compromises 40,000 sites

By Angela Moscaritolo on Jun 18, 2009 10:46AM

A new threat dubbed "Nine-Ball" has compromised up to 40,000 legitimate websites that are now infecting users with an information-stealing trojan, according to security vendor Websense.

The attack is called “Nine-Ball” because of the name of the final, malicious landing page, which is loaded with drive-by exploits that unsuspecting users are automatically redirected to if they visit one of the compromised sites.



Ninetoraq.in, the exploit site, contains malicious code that looks for already-patched vulnerabilities in Acrobat Reader, QuickTime, Microsoft Data Access Components (MDAC) and AOL SuperBuddy, which it then attempts to exploit, Stephan Chenette, manager of security research at Websense, told SCMagazineUS.com.



The flaws have all been patched; some date back to 2006, Chenette said. However, the Reader and QuickTime vulnerabilities are newer, making it less likely that users are patched for them. If the malicious code finds an unpatched vulnerability to exploit, it either drops a malicious PDF file or a trojan designed to steal user information, Chanette said.



All of the exploits currently have low detection rates, he added.



The 40,000 legitimate but compromised websites were “sleeping” up until Monday, Chanette said. Before then, if a user visited one of them, they were redirected to Ask.com. On Monday, though, the attack updated and users started being redirected to the ninetoraq malicious site.



Currently, users who visit one of the compromised sites are first sent through a chain of redirections before landing on the final exploit site ninetoraq. Though users simply see the normal content on the infected page, the redirections would occur in the background without their knowledge -- so a user would not see that they are on the ninetoraq site. By sending users through numerous redirections, it makes the job of tracking the attackers more difficult, Chanette said.



During the redirections, a visitor's IP address is recorded. If the IP address is determined to be new, the user is directed to the exploit payload site. But if the user's IP address has already been recorded, they are directed from the compromised site to the benign site Ask.com -- which they would see happen, Chanette said.



The reason attackers have included this feature could be to evade security companies who are probing the infected sites and attempting to analyse the attack -- one might assume the attack no longer works because they are being directed to a benign site.



Websense researchers determined that the compromised sites are not running a common piece of software, which means the sites have been injected with malicious code via stolen credentials that have been previously obtained.



Getting rid of the problem requires multiple steps, Chanette said. Website owners must look at their site's source code for obfuscated or scrambled code. Then they need to change the credentials to all accounts that can access that website.



Chanette said that none of the 40,000 infected sites for this particular attack are well-known brands.



“Attackers are going after quantity and not quality,” Chanette said. “If they go after big name websites, they are shut down faster.”



Over the past several months, there have been similar mass-injection attack waves like this every few weeks.



A similar threat called Gumblar made headlines recently for compromising approximately 60,000 legitimate websites. In addition, another mass-injection attack, Beladen, was said to have infected 40,000 websites.



Neil Daswani, co-founders of web anti-malware vendor Dasient, said that in the past two years there has been a 600 per cent increase in the number of trusted websites being used as malware distribution points. Compromised websites face a number of consequences, including being blacklisted by search engines, which typically causes a significant drop in traffic.



“Once they clean up, the challenge is to try and get back traffic,” Daswani said. “From businesses we have spoken to, once they clean up, it's very hard to get back to [the former] traffic level because there's a loss of consumer confidence.”


See original article on scmagazineus.com

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © SC Magazine, US edition
Tags:
attackcompromisedinjectionmassnineballsecuritysiteswebsites

Partner Content

Operationalising net zero to be centre stage at IoT Impact conference
Partner Content Operationalising net zero to be centre stage at IoT Impact conference
Top 5 Benefits of Managed IT Services
Promoted Content Top 5 Benefits of Managed IT Services
5 essential digital transformation ideas
Promoted Content 5 essential digital transformation ideas
Alienated from your own data? You’re not alone
Promoted Content Alienated from your own data? You’re not alone

Sponsored Whitepapers

Planning before the breach: You can’t protect what you can’t see
Planning before the breach: You can’t protect what you can’t see
Beyond FTP: Securing and Managing File Transfers
Beyond FTP: Securing and Managing File Transfers
NextGen Security Operations: A Roadmap for the Future
NextGen Security Operations: A Roadmap for the Future
Video: Watch Juniper talk about its Aston Martin partnership
Video: Watch Juniper talk about its Aston Martin partnership
Don’t pay the ransom: A three-step guide to ransomware protection
Don’t pay the ransom: A three-step guide to ransomware protection

Events

  • iTnews Benchmark Awards 2022 - Finalist Showcase
  • IoT Impact Conference
  • Cyber Security for Government Summit
By Angela Moscaritolo
Jun 18 2009
10:46AM
0 Comments

Related Articles

  • More ransomware websites disappear in aftermath of Colonial Pipeline hack
  • Cyber security pros reminded of self-care importance
  • Russian ransomware attacks on Ukraine muted by leaks, insurance woes
  • Cyber attack on NATO could trigger collective defence clause
Share on Twitter Share on Facebook Share on LinkedIn Share on Whatsapp Email A Friend

Most Read Articles

NBN Co sizes up six-figure customer exodus a year to fixed wireless

NBN Co sizes up six-figure customer exodus a year to fixed wireless
NBN Co to cut 160 applications under $200m IT simplification

NBN Co to cut 160 applications under $200m IT simplification
NBN Co's 250Mbps and gigabit growth is finally clear

NBN Co's 250Mbps and gigabit growth is finally clear
What to expect from the incoming Labor government

What to expect from the incoming Labor government

Digital Nation

CTO Juergen Mueller offers a glimpse into SAP's metaverse play
CTO Juergen Mueller offers a glimpse into SAP's metaverse play
Lendlease launches its own metaverse in Milan
Lendlease launches its own metaverse in Milan
COVER STORY: Data and IoT set digital agriculture on a sustainable future
COVER STORY: Data and IoT set digital agriculture on a sustainable future
COVER STORY: A Year in the Metaverse
COVER STORY: A Year in the Metaverse
Why do DeFi and DAOs matter to business?
Why do DeFi and DAOs matter to business?
All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.
Your use of this website constitutes acceptance of nextmedia's Privacy Policy and Terms & Conditions.