Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Government The Courts The Internet News

10,000-website Strong Malware Maze Created by Criminals 118

Stony Stevenson passed us an ITnews article about the newest scam in online crime. Some 10,000 web pages have been rigged by IT-minded criminals, with the aim of hijacking unsuspecting PCs. The site reports that the users are redirected through a maze of malware, all with the goal of gaining access to personal user information. "The reprogrammed web pages are probably victims of an automated attack that included scanning the internet for unsecured servers and planting a piece of JavaScript code that redirects to a site in China to serve up the malware. The malware cocktail attempts to exploit vulnerabilities in Windows, RealPlayer and other applications to break into the PC. A back door also allows the subsequent installation of additional malicious programs. McAfee Avert Labs first spotted the attack on 12 March. 'Of the 10,000 pages that were compromised a number have already been cleaned up,' the firm stated."
This discussion has been archived. No new comments can be posted.

10,000-website Strong Malware Maze Created by Criminals

Comments Filter:
  • Oblig. (Score:3, Funny)

    by Damocles the Elder ( 1133333 ) on Thursday March 13, 2008 @03:39PM (#22743502)
    It's over 9000!
  • by esocid ( 946821 ) on Thursday March 13, 2008 @03:41PM (#22743520) Journal
    It's a trap!
  • by davidwr ( 791652 ) on Thursday March 13, 2008 @03:43PM (#22743546) Homepage Journal
    Maybe not today, but tomorrow?

    Seriously, it's time to seriously sandbox web browsers and have "no extensions" by default with overrides on a per-page, per-session basis allowed.

    In addition to sandboxing, browsers should ship with NoScript or equivalent functionality built-in.
    • Comment removed (Score:5, Insightful)

      by account_deleted ( 4530225 ) on Thursday March 13, 2008 @03:45PM (#22743568)
      Comment removed based on user account deletion
      • Re: (Score:1, Interesting)

        by Anonymous Coward
        How about a pre-shipped white list. I know know there is whole bit of politics with who gets on the whitelist.
        • Re: (Score:3, Interesting)

          by davidwr ( 791652 )
          Far better is a mechanism where content from one server can be authenticated by another server.

          For example, if http://www.foo.bar/ [foo.bar] served up index.html, and http://authenticator.foo.bar/ [foo.bar] served up an md5 hash based on its copy of index.html, an attacker would have to compromise both servers to fool the checksum.

          This works well for static content. For dynamic content each piece would have to be checked independently. There are also other serious issues that would have to be worked out.

          Your web browser coul
        • Re: (Score:2, Informative)

          by MttJocy ( 873799 ) *
          If you read TFA not very slashdot I know, but it does say that several of the sites were what would normally be considered trusted and thus could likely end up on such a whitelist so it would hardly protect you against situations like this where trusted websites have been owned by a malware attack themselves.
    • by ivan256 ( 17499 ) on Thursday March 13, 2008 @03:59PM (#22743738)
      Why not just disallow redirection and loading of off-domain/off-host data from scripts?

      Disabling scripts entirely disables dangerous behavior, sure... But is also disables lots of desirable functionality that most people want.
      • by Hatta ( 162192 )
        That would strongly encourage web designers to run their code on their own machines where it belongs. That's very much a desired effect in my book.
        • by ivan256 ( 17499 ) on Thursday March 13, 2008 @05:19PM (#22744708)
          Interactive code can't be run on the server and still be responsive enough for a good user experience.

          Web pages aren't just static content anymore. And other than stuffy people who don't want to let go of the paper document, or paper document + hyperlink models, nobody really thinks they *should* be static content either.
          • Once again, I'm amazed at the tendency towards Ludditism on what is ostensibly a tech site.
          • You seem to be blithely disregarding issues of trust. And bandwidth. And disability. (Just how well do those interactive pages work with page readers?)

            For me, when a company puts up a page that is utterly useless unless you run flash, or javascript, that's a company I turn away from.

            Maybe I'm just one of those "stuffy people" you mention. But even if I am, it doesn't mean I don't have legitimate grievances.
            • by ivan256 ( 17499 )
              I don't think I'm ignoring the issues of trust... I think you just didn't read the whole thread.

              I think the bandwidth issue was pretty core to my argument. Dynamic content can, and should, use less bandwidth than static content to obtain the same level of interactivity.

              I'm also not ignoring disability. I just don't think we should say "the web is text" and be stuck with that model forever in order to cater to a lowest common denominator. The fact of the matter is that the web has grown into an application p
      • This is a good step, but wouldn't hackers just be able to work around this too? eg. just put the bad stuff on the same host, etc.

        This precaution is currently not enforced, and hence current attacks don't consider it, but if it were enforced, then I have a feeling hackers would just find another way, just as they have done to create the current exploitations.

        It is disturbing that plugins such as real player and acrobat can be exploited, since often times an old plugin that is no longer in use will never get
        • by FLEB ( 312391 )
          Well, if it was absolutely locked down, about the worst an attacker could do would be to create a lookalike phishing site on the same host. Unfortunately, properly locking that sort of thing down may need to go as far as disallowing off-site IMG tag references, as well as JavaScript and the like.
    • Re: (Score:2, Informative)

      by Anonymous Coward
      > In addition to sandboxing, browsers should ship with NoScript or equivalent functionality built-in.

      You mean like all the browsers of the Mozilla series do? NoScript is just a GUI exposing the Mozilla Security Policies, which have been available via prefs.js since ever. An older one is "Policy Manager" , and the lack of a GUI is even a long term Bugzilla entry.

      And yes, the NoScript guys intentionally create the impression that their work is something new.
    • chroot firefox? Hmmm...I wonder how that would work. I might have to give it a shot :)
    • Firefox 3 has NoScript as a built-in feature ... ;)
      http://extremesecurity.blogspot.com/ [blogspot.com]
  • by syntaxeater ( 1070272 ) on Thursday March 13, 2008 @03:47PM (#22743600) Homepage
    ...then we wouldn't be having these problems.
  • by esocid ( 946821 ) on Thursday March 13, 2008 @03:47PM (#22743608) Journal
    The name for the rootkit is random js toolkit [govtech.com] which seems pretty uninventive to me.

    The random js attack is performed by dynamic embedding of scripts into a Web page. It provides a random filename that can only be accessed once.
    So does the infected computer then inject something into websites the user visits or is that done by whoever designed this little rootkit?
  • by ausoleil ( 322752 ) on Thursday March 13, 2008 @03:48PM (#22743614) Homepage
    ...how do we check our sites to ensure that this code has not been planted. The article gives no clue at all. It doesn't even identify if is platform or technology specific, etc. Just that someone else has set up a huge botnet.

    Even sysadmins and webmasters that use best practices and diligently patch, etc. can be gotten because there are always undisclosed holes that are utilized. In fact, were I in that game and I figured out something to defeat security, it would keep it under my ragged black hat and never share that info.
    • by whitehatlurker ( 867714 ) on Thursday March 13, 2008 @04:39PM (#22744234) Journal
      See the posting [slashdot.org] immediately previous to yours.

      Yes, TFA is sparse on the details, but if this [govtech.com] is the attack, it is detected by several anti-virus packages.

      That rootkit is very stealthy. It might most easily be detected by watching your httpd server logs for random javascript files being served. Some details here [webhostingtalk.com].

      Note: I don't know that the above is the exploit described in TFA. I believe this subject was discussed earlier on slashdot. It was in The Reg as well.

    • by kesuki ( 321456 ) on Thursday March 13, 2008 @05:20PM (#22744740) Journal
      the funny thing is this isn't even the worst thing I've seen black hats use. There is this NASTY little exploit in windows that lets a CD-ROM be used to install automatic updates, when automatic updates ARE DISABLED.. think about this a little a cd-rom, CD-r, DVD-r, BD-R so what do you use to back up your data? blank dvds? did you ever notice that a disc left open 'gained' an extra session, somehow some where?
      BAM huge exploit.. it's the one that got me. i was tied up for weeks trying to figure ways around this nasty virus, and how to not loose all my data... i had no internet and the dang root-kit kept coming back (there were flaws in the root-kit, that caused 'bugs' the big 3 are, 1. a recurrent error in chkdsk where windows keeps complaining about the volume bitmap being corrupted. This is not as reported, a flaw in chkdsk, but something the Root-kit does constantly to 'make all it's infected files completely invisible to rootkit and virus scanners' the only way to scan for those files, is to put the hard drive into a linux machine and 'find' the missing files you can detect the problem in windows though, you navigate to your
      System Volume Information\_restore{(long number here)}\RP1 the RP1 folder is supposed to contain sequentially numbered temporary files, that are never deleted by normal means... so if you spot a 'numerical gap' in the files listed, you have the root-kit, to prove it pop the drive in a linux machine(or live cd) and the 'missing' numbered files are there, not deleted, not invisible, just 'not in the volume file bitmap' that's the easiest way to detect it, the second and third ways are less scientific, the second way I've detected it is by playing full screen games for many hours straight. if randomly over the course of 2-4 days the desktop shows in mid game for no reason... you have the root kit. sometimes it happens 3-5 times a day, but not always. the third indication doesn't always happen, but sometimes, the root-kit does something wrong, and autoplay gets disabled. usually this is related to frequent dvd movie usage. autoplay will still work on usb drives, but no longer on any optical drives... it's very wierd. in one case, it even screwed up the system so bad that '3 programs' installed on the system would 'set the default screen saver/power management settings back to their original windows defaults every 2 seconds' one of these programs was VLC media player, and frankly trying to watch a movie when the screen goes black every 20 minutes is ANNOYING...

      if you have any of the above mentioned symptoms i'd recommend grabbing a live cd linux disc, and mounting the hd and looking in your System volume information folders for signs of files that are only readable under linux.
      • Re: (Score:1, Funny)

        by Anonymous Coward
        if you have any of the above mentioned symptoms i'd recommend grabbing a live cd linux disc...and install Linux

        Fixed that for you. ;)
    • Re: (Score:2, Informative)

      by Uncle Op ( 541486 )
      The Register offered one way to see the list:

      http://www.theregister.co.uk/2008/03/13/trend_micro_website_infected/ [theregister.co.uk]

      The list is over 23,000 pages:

      http://www.l.google.com/search?hl=en&q=%22script+src%3Dhttp%3A%2F%2Fwww.2117966.net%2Ffuckjp.js%22&btnG=Google+Search&aq=f [google.com]

      I haven't counted the Google-provided list. In theory some of those sites/pages have already been cleaned up, and they are reported 'cuz that was the last time Google spidered them.
  • by metalman ( 33387 ) on Thursday March 13, 2008 @03:53PM (#22743668)
    "Often you hear warnings about not going to untrusted sites," said Craig Schmugar, threat researcher at McAfee Avert Labs... That is good advice, but it is not enough. Even sites you know and trust can become compromised."

    In the old days it was easy to avoid malicious sites. Now even your neighbor could be the terrorist... err..I mean.. even sites you know and trust can become compromised.

    At least this threat researcher offered a calm analysis with plenty of advice about how to avoid such attacks without recoiling from the web in fear.

    MUST BUY MCAFEE...
  • of the server that is owned and run by the criminals. Isn't this what Tactical Nuclear Weapons were designed for?
    • Isn't this what Tactical Nuclear Weapons were designed for?


      No. Killing them that way is not slow and painful enough.
      • Re: (Score:3, Funny)

        by mjwx ( 966435 )

        Isn't this what Tactical Nuclear Weapons were designed for?
        No. Killing them that way is not slow and painful enough.
        But nuking them from orbit is the only way to be sure.
    • Isn't this what Tactical Nuclear Weapons were designed for?

      Good point.

      Of course the only sane way to clear the entire internet of all malware of any kind...

      is to explode many nuclear weapons in orbit thus frying most of the electronics on the planet.

      Lets call that "Plan B".
  • What number? One? two? 17? 8000?
    • Re: (Score:1, Offtopic)

      by Bryansix ( 761547 )
      Patriotism can be thinking that your form of government is better that anothers or that your implementation of it is better. This kind of patriotism has nothing in common with racism. This kind of patriotism is about ideas and ideologies.
      • by d3ac0n ( 715594 )
        You do know that you are replying to his signature, right?

        That said, you are otherwise correct.
      • by Hatta ( 162192 )
        Racism can be thinking that your race or culture is better than another's. Believing that, for instance, american democracy is inherently better and more free than other democracies isn't really any different than believing that white people are inherently more civilized than others. I don't understand the distinction you're trying to make.
        • One has to do with ideas which can change and be changed by either party. The other is state you are born into and can't be changed.
          • by Hatta ( 162192 )
            I don't understand, people are born racists?
            • No, people are born with a race. Therefore arguing that one race is supierior to another is pointless because it's not like I can say "well being white sucks so I'll change to be asian instead". However with Patriotism if you talk to somebody who promotes the monarchy and they see democracy and like it then they can change what they are supporting based on the facts.

              Futhermore a government is just a group of people who make policy and rule a certain way. If yours does so honorably (for the most part) and
              • by Hatta ( 162192 )
                People are born American too. I'd argue that if you convince a patriotic american that the british government is superior, they're not really patriotic anymore. Similarly, if you convince a klan member that there's nothing fundamentally wrong with the african race, he's not really racist anymore.


                Futhermore a government is just a group of people who make policy and rule a certain way. If yours does so honorably (for the most part) and you helped elect and be a part of the process then why not be proud?


                Rac
        • by w0rd ( 412663 )
          Actually, you're incorrect. When you speak of believing that a particular culture is better than another, that's ethnocentrism. Racism is application of standards based only on race, not government.
  • Pages != Sites (Score:3, Interesting)

    by mythosaz ( 572040 ) on Thursday March 13, 2008 @04:00PM (#22743744)
    10,000 pages != 10,000 sites. ...unless the sites each only have one page.
  • The article doesn't make it clear. This is a vulnerability in Windows, or in IE?
  • Impressive! (Score:3, Funny)

    by jgarra23 ( 1109651 ) on Thursday March 13, 2008 @04:15PM (#22743906)
    It reminds me of that Eddie Izzard bit in "Dress To Kill" where he talks about how we as a society abhor serial killers but when we start to get even into the hundreds or thousands or millions we're like, "well done!" that's impressive! In an odd morbid sort of way... I mean, you hear about worms and crap like that or the oddball who hacked A system... but to create a "maze" of over 10k sites?? Well, uh... impressive!
    • by IBBoard ( 1128019 ) on Thursday March 13, 2008 @04:34PM (#22744180) Homepage
      And for anyone who is unfortunate enough not to know Eddie Izzard or who hasn't seen "Dress to Kill", the section is:

      And Hitler ended up in a ditch, covered in petrol, on fire, so, that's fun! I think that's funny, 'cause he was a mass-murdering fuckhead. And that was his honeymoon as well! Double trouble!

      "Eva, let's marry."

      "Where should our honeymoon be?"

      "Well, in a ditch, covered in petrol, on fire. I've already arranged it upstairs."

      "Oh, how romantic, Adolf."

      "Yes, I thought!"

      Fun! What a bastard! And he was a vegetarian, and a painter, so he must have been going, "I can't get the fucking trees... Damn! I will kill everyone in the world!"

      And he was a mass-murdering fuckhead, as many important historians have said. But there were other mass murderers that got away with it! Stalin killed many millions, died in his bed, well done there; Pol Pot killed 1.7 million Cambodians, died under house arrest at age 72, well done indeed! And the reason we let them get away with it is because they killed their own people, and we're sort of fine with that. "Ah, help yourself," you know? "We've been trying to kill you for ages!" So kill your own people, right on there. Seems to be... Hitler killed people next door... "Oh... stupid man!" After a couple of years, we won't stand for that, will we?
      Pol Pot killed 1.7 million people. We can't even deal with that! You know, we think if somebody kills someone, that's murder, you go to prison. You kill 10 people, you go to Texas, they hit you with a brick, that's what they do. 20 people, you go to a hospital, they look through a small window at you forever. And over that, we can't deal with it, you know? Someone's killed 100,000 people. We're almost going, "Well done! You killed 100,000 people? You must get up very early in the morning. I can't even get down the gym! Your diary must look odd: "Get up in the morning, death, death, death, death, death, death, death - lunch- death, death, death - afternoon tea - death, death, death - quick shower..."

      So I suppose we're glad that Pol Pot's under house arrest... you know, 1.7 million people. At least he - we know where he is - under house arrest! Just don't go in that fucking house, you know? I know a lot of people who'd love to be under house arrest! They bring you your food... "Just stay here? Oh, all right. (singing laconically ) Have you got any videos?" You know, you just sit there all day... And Pol Pot was a history teacher. And Hitler was a vegetarian painter. So... mass-murderers come from the areas you least expect it. I don't know how the flip comes over, but it happens.


      http://www.auntiemomo.com/cakeordeath/d2ktranscription.html#history [auntiemomo.com]
  • by King_TJ ( 85913 ) on Thursday March 13, 2008 @04:17PM (#22743936) Journal
    First, people figured out that in order to hijack people's PCs for "bot net" purposes, they could try to trick them into installing a program that would slip it in, along with the desired program being loaded. But along came all the "spyware cleaner" packages, that could identify and remove the malware, leaving the originally desired software installed and running.

    So the next trick was to try to make removal difficult or impossible by infecting a PC with a "downloader virus". That way, the virus itself would try to avoid detection, but silently download and install spyware from various sites around the world. The user might figure out he/she was infected with the spyware and try to clean it with a remover, but it would keep coming right back, as the original virus kept re-downloading the stuff.

    This led to popular anti-virus packages starting to blur the lines between spyware and virii (in cases where the company in question didn't have a specific anti-spyware product ready to sell you). They'd just attempt to clean ALL of the stuff up. Others wanted you to run 2 distinct programs together to protect against both types of threats. In any case, all of this confused a lot of people -- but also made them catch on that a lot of this stuff appeared to be impossible to clean ONLY because of that "downloader trojan horse" trick.

    After they started "wising up" and unplugged their Inet connections while doing all the virus and spyware removal ... the "evil doers" had to escalate things further.

    The current ploy of injecting the stuff from normally benign web sites is pretty much the "next logical step" for them. Doesn't surprise me a bit. I think we'll continue to see more and more of this, too. After all, this attack has several vectors. DNS server entries could be spoofed, redirecting people to fake sites. Web servers with security flaws could be compromised, and modified code loaded directly onto them. Or maybe, legitimate sites will unwittingly host infected ad banners down their pages, paid for by "advertisers" with motives other than really caring if you view the ad's visible content?
    • Re: (Score:3, Insightful)

      by d3ac0n ( 715594 )
      It makes you wonder what the next logical step after this one is, doesn't it?

      Personally, I suspect that we will start seeing DNS cache and Route poisoning attempts become much more commonplace. Particularly after the whole "YouTube gets 'knocked offline' because of an improper route broadcast by a piss-ant totalitarian country" issue we had in recent weeks.

      I would bet good money that there were criminals rubbing their hands together with glee over the idea of dumping MILLIONS of users to a malware server s
      • I think the next step should be; EVERYONE Install Linux or Buy a Mac. At once. Problem Temporarily solved and time that will be needed in order to implement the NEXT next logical step will be bought. Of course, the NEXT next logical step is to kill every last one of these bottom feeding scum suckers in the face.
  • by 3seas ( 184403 ) on Thursday March 13, 2008 @04:24PM (#22744016) Homepage Journal
    I discovered my site had a directory and just under 2500 pages added to it. The directory and file dates are January 9th 08 and every one of the html files has the same script code in it. My research turned up indication of two mass site hacks in January.

    A google search for threeseas.net/blogger/log/cache/ (cache being the directory that contained the files [past tense]) shows up about 4500 site pointing to one of the files in that directory. Some of the findings are even sourceforge sites and you can tell they have been hacked as well. In other words there are a lot of hacked sites besides mine.

    I notified google this morning and my host has already removed the files from my site as the owner and group were set that I couldn't do this myself.

    anyways rather that posting the code, a check sum would be better of the code starting with teh word "function" to the end of the code.
    • by element-o.p. ( 939033 ) on Thursday March 13, 2008 @05:05PM (#22744506) Homepage
      From TFA:

      Signaturing a dynamic script is not effective. Signaturing the exploiting code itself is also not effective, since these exploits are changing continually to stay ahead of current zero-day threats and available patches.


      Sounds like it would be rather difficult to get a checksum for you, sorry.
      • Actually , i think he meant a checksum for his site and all its content, not to end up one day with diff. pages online without knowing about it. Of course the checksum verificator could obvisously not be hosted on the same server....and it could send you an email if any content on your wesite has changed. I guess a reverse google cache of sorts...
  • Save us (Score:5, Funny)

    by DiscoLizard ( 925782 ) on Thursday March 13, 2008 @04:35PM (#22744200)

    McAfee Avert Labs described the assault as "one of the largest attacks to date of this kind".

    The attack serves as a reminder that even trusted websites can be malicious, McAfee warned.

    "Often you hear warnings about not going to untrusted sites," said Craig Schmugar, threat researcher at McAfee Avert Labs."That is good advice, but it is not enough."

    McAfee Avert Labs first spotted the attack on 12 March.



    I wonder who can sell us some sort of software to guide us out of this maze of evil webpages?

  • series of twisted, tangled, and altogether screwed up tubes
  • Then it would be like 911 times a thousand!

    That's right. 911,000!
  • Oh...wait.

    Nevermind.

    Good luck, lads.

  • Would someone please identify the person(s) who are trying to make 'meme' another buzzword?
    I would appreciate their email addy if you can manage that as well.
    I've had to put up with 'Absolutely' in the 90's and now 'meme' for the next decade, as well as iAddyourwordhere.... for just too long.
  • Hey,

    I've noticed through some search terms found on Google Trends that there are bunches of apparently fake "blogs" on blogspot. Here's an example:

    http://forniagill.blogspot.com/2008/03/what-time-is-it.html [blogspot.com]

    Clicking on the "what time is it scandal" "video" redirects toward a site Firefox flags for malware downloading (even though I'm on Linux -- thank you 'Fox :).

    There seem to be hundreds of these random malware blogs out there. Is this an old phenomenon? Thx.
    • by cswiger ( 63672 )
      Good find. That site tries to persuade you to run this "WebVideoSetup.exe" program, which is a Win32 GUI PE according to file, and a quick check of strings suggests it creates a remote shell and contacts IP 78.129.166.25. Virus scanners identify it as "DR/Delphi.Gen" or "Mal/Heuri-E, Mal/DelpDldr-E".

  • by Jane Q. Public ( 1010737 ) on Thursday March 13, 2008 @07:27PM (#22746268)
    If McAfee (and others) really wanted to solve this "problem", then they would have to do little more than TELL US what the domain name, IP address, etc. of the offending server was!

    If we knew that, we could reject any requests from there at the application OR server level, or even both.

    And when they move to a new server, same thing. Of course, it would be helpful to have signature(s) of the code as well, but let's STAMP OUT the immediate problem, then worry about potential problems.

    I know the "security" companies are commercial interests. But there are times when responsibility toward your community trumps making an enormous profit.
  • so, given I rarely if ever need to see Chinese servers, is there a list which I can use to generate a firewall access list and block all outbound access to Chinese servers?
  • ...do any of these exploits specifically target Linux? If not, then this is a nonevent for me.
    • If you checked out any of the above links, then you would see that it definitely affects linux hosts. From what i was able to glean, the problem stems from infected PC's that contain usernames and password info for their ftp account on a linux box From there a payload is delivered to the linux box that inserts a small httpd into the kernel and covers its tracks. So yes, its a linux rootkit, but only doable if the linux host is running ftpd (pro/pure?) as a means for letting remote users access the filesys

Let's organize this thing and take all the fun out of it.

Working...