back to article Mass compromise powers massive drive-by download attack

More than 10,000 web pages have been booby trapped with malware in one of the largest attacks of its kind to date. Compromised web pages include travel sites, government websites, and hobbyist sites that have been modified with JavaScript code that silently redirects visitors to a site in China under the control of hackers. …

COMMENTS

This topic is closed for new posts.
  1. Andy Turner

    FFS

    Malware is fast overtaking spam as an absolute pain in the arse. People should be shot for this kind of thing.

  2. Rob
    Go

    @ Andy Turner

    "Malware is fast overtaking spam as an absolute pain in the arse. People should be shot for this kind of thing."

    If it's any consolation, in China there's a good chance that they will be. ISTR that the usual protocol involves sending their families a bill for the bullet...

  3. Del Merritt
    Linux

    Play the shame game

    So where's the list of sites affected? All that is spread is FUD if you don't make clear who/what to avoid.

    If a truly "major" site was infected, it's important for its visitors to know.

    Of course, all of the references at McAfee's Avert Labs appear to point to ActiveX - not a problem for this Linux fanboy - but unfortunately I have friends and relatives using Winblows, and if there's a reasonable chance that one of these 10,000 sites is on their list of regulars, I'd like to forewarn them appropriately.

  4. Hugh Fiske
    Paris Hilton

    Spam = Malware = Spam

    They're inextricably linked and often come from the same gangs. Firefox + Noscript should prevent most malware redirection attempts, we need to spread the word.

    Paris? Already being spread.

  5. Robbie
    Paris Hilton

    Trusted websites?? didnt know they excisted.

    again they target "Trusted" websites.. maybe people should stop using the term "trusted website" and use something like "seems to work so far"

    Paris because even she knowns beter.

  6. Trygve Henriksen

    Shooting bastards...

    Yes, we should start shooting malware creators and other low-life.

    And we should start by shooting those who run 'bulletproof hosting' services. They're the easiest of the low-life to be found)

    Without those servers, it would be very difficult for Pill-peddlers and other low-life to set up shop, and without shops, why bother to send out SPAM?

    The same goes for Malware. Many of them also need a 'discreet' hosting service. And if they can't get hosting for their files...

    There's also the 'Dynamic DNS' services.

    This is sometimes used to poing idiots(those who read spam) to 'shops' hosted on compromised servers or PCs.

    These services are really meant for 'low volume' usage(someone accessing his PC from the office, a 'home-brewed' game server or that sort), so it should be possible for them to 'switch off' the translation of a particular server name if the activity suddenly peaks...

    Why don't they?

  7. Andy Enderby

    An unfortunate new trend

    There seems to be a trend of attacking web communities developing right now. I traced the miscreants responsible for an attack on two communities I deal with as a punter back to sites allied to the RBN (Russian Business Network), and am of the opinion that this is far from unique. After all, the returns are potentially far higher - the perps know the central themes in the community fora and can target scams more accurately. More return, less work.

    Trusted Websites ? That's an oxymoron isn't it ? In the case above though, I was one of the few that got away without getting compromised.

  8. ImaGnuber
    Dead Vulture

    RE: Play the shame game

    "So where's the list of sites affected? All that is spread is FUD if you don't make clear who/what to avoid."

    Exactly. Warnings without names are pointless noise. Please don't waste our time.

  9. Anonymous Coward
    Linux

    Linux? Maybe, maybe not

    As a "Linux Fanboi", I'd have to say that currently Linux users have some protection from this---but although I believe *nix is generally more secure, if it had anywhere near the popularity that Windows has with end-users, I'm sure there would be many more exploits. Right now its comparative rarity and the lack of total interoperability between different flavors of Linux makes it more secure.

    For everyone, I'd personally recommend Firefox and a script blocker like "NoScript" IE's headed in the right direction, but the annoying and worthless popups that you have to click through to get anything to work causes them to undermine their own usefulness---after a while, people will blindly just 'click it' when IE "cries wolf", or lower their security settings out of annoyance when they get a bland and uninformative warning every time they try to do something.

    I recently installed the beta of XP SP3 on one of my Windows boxes, and the generic warning to the effect of: "this contains a potential security risk" when doing something as innocuous as copying files across the network is useless and maddening...

  10. Biton Walstra
    Alert

    China Domain?

    And where is the pointing China Domain?

    If we got this info we can block out going traffic to it...

  11. Anonymous Coward
    Coat

    Surely Phorm

    Would have protected us. With this wonderful antiphishing service of theirs.

  12. Morely Dotes
    Heart

    A Modest Proposal

    OK, *another* Modest Proposal:

    Both US and UK Special Operations teams need lots of training in order to stay sharp for real warfare.

    I suggest those teams be assigned to identify all members of the RBN, hunt them down, and capture, or if capture is not practical, kill them.

    And I really am serious. Wipe out the RBN and you'll eliminate a huge volume of spam, and make it possible for Joe Sixpack to pay his mortgage (because he didn't stupidly get fleeced by an RBN spammer).

    Once the RBN is down, move on to the next-largest spam/malware gang. Lather, rinse, repeat.

    The heart icon, because that's what I want: The warm, still-beating hearts of the RBN members ripped from their chests on live Webcam.

  13. John Rotomano
    Linux

    Only IE seems to be affected.

    From original report by McAfee Avert Labs, it seems that only users running Internet Explorer wold be affected, since the exploits us Active Xcontrols that are not implemented in Mozzilla browsers. The attack involves injection of script into valid web page to include a reference to a malicious .JS file which loads an HTML file that attempts to exploit vulnerabilities such as:

    * MS06-014

    * RealPlayer (ActiveX Control)

    * Baofeng Storm (ActiveX Control)

    * Xunlei Thunder DapPlayer (ActiveX Control)

    * Ourgame GLWorld GlobalLink Chat (ActiveX Control).

    So you should be safe if you use any non-microsoft browser (like Firefox, or any mozzilla browser).

  14. vincent himpe

    firfox + noscript ...

    SImply run Opera. Problem solved.

  15. Olivier
    Black Helicopters

    And the servers?

    The "vulnerable" servers are likely to be ( again ) LAMP servers. If this could make the penguins shut up a bit.. The last infection of this kind was based on a linux kernel rootkit ..

  16. Anonymous Coward
    Pirate

    Double hit for Microsoft

    Not only are the exploits used to infect users all in IE but all the infected sites are using ASP. So both their client and server software is vulnerable ... terrific.

    I'm surprised Microsoft doesn't just move into the malware and virus business full time! They are missing out, everyone is exploiting the potential to make money from their software and they aren't taking their cut?

  17. Steve Roper
    Go

    To all calling for death to the scum

    I'm very pleased to see my recent campaigns to institute public execution of these filth seem to be gaining support! My preferred method is mass public hanging; it's more spectacular and dramatic than shooting. :D So, all together now... 1... 2... 3...

    Ch-klick... HOCK! OOOORRRRAAAAAYYYYYYY!!

  18. Anonymous Coward
    Thumb Down

    Why do ISP not just block this server

    End Done Fin

  19. Tony W
    Unhappy

    Is Noscript really a panacea?

    So many sites rely on scripts that I have scripting allowed on many of the sites I visit. Then if the evil script is hosted by the site I am visiting, Noscript won't help.

  20. Dr Patrick J R Harkin

    We shouldn't use the phrase "Trusted site"

    If your PC is connected to the Real Internet (as opposed to the Happy La La Internet some people seem to think is out there) it should be hardened against malware so that if you ever click on an inappropriate link in Google you don't get hosed. You can't reliably avoid "untrusted sites"; you need to be prepared for the day you accidentally end up on one.

    If you need me, I'll be in the basement, stockpiling canned food and dried goods.

  21. Giorgio Maone
    Happy

    Yes, NoScript is effective in this case too

    @Tony W:

    in all these attacks the malicious scripts, even if embedded in "trusted" pages, are actually loaded from sites you're very unlikely to have ever heard of, hosted in obscure Chinese servers.

    When you allow the "trusted" page to execute JavaScript, NoScript still prevents 3rd party scripts from loading unless you explicitly allow them too one site by one: hence yes, NoScript is an effective protection in this case as well.

This topic is closed for new posts.