CyberInsecure.com

Archive for the ‘Mass Web Attacks’ Category

Adobe Flash Player is prone to an unspecified remote code-execution vulnerability. An attacker may exploit this issue to execute arbitrary code in the context of the affected application. Failed exploit attempts will likely result in denial-of-service conditions. Adobe Flash Player 9.0.115.0 and 9.0.124.0 are vulnerable; other versions may also be affected.

According to Symantec, this issue is being actively exploited in the wild and hence the DeepSight ThreatCon is being raised to Level 2. The flaw occurs when processing a malicious SWF file. Currently two Chinese sites are known to be hosting exploits for this flaw: wuqing17173.cn and woai117.cn. The sites appear to be exploiting the same flaw, but are using different payloads. At the moment these domains do not appear to be resolving, but they may come back in the future. Further analysis into these attacks, specifically the woai117.cn attack, uncovered another domain involved dota11.cn.

Google search reports approximately 20,000 web pages (not necessarily distinct servers or domains) injected with a script redirecting users to this malicious site. A wide variety of legitimate third-party sites appear to be affected. The code then redirects users to sites hosting malicious Flash files exploiting this issue. According to ZDNet, this zero-day flaw has been already added to the Chinese version of the MPack exploit kit.

Currently there are no vendor-supplied patches. Users are strongly advised to disable Flash until patches are available, avoid browsing to untrustworthy sites and deploy script-blocking mechanisms, such as NoScript for Firefox.

Update (May 29): The malicious SWF file found in-the-wild has been found to affect Adobe Flash Player 9.0.115.0 and earlier, not the latest version 9.0.124.0.

Official statement by Adobe.

Users are advised to ensure that Flash is updated to version 9.0.124.0.

Two days ago there was a report about Chinese and Chinese language websites compromised and SQL-injected in order to infect visitors with malware. According to net security firm ScanSafe, recently new rounds of SQL injection attacks mostly target English language sites on .com domains, some of them hosted in China.

This time the attack purposefully avoid Chinese government sites. The latest attacks inject an iFrame onto compromised sites that loads malicious scripts from qiqigm.com, a domain registered on 16 May. These scripts includes the text “silent love china” in an apparent greeting of other Chinese hackers. The malicious code exploit popular RealPlayer and Internet Explorer vulnerabilities to install a password-stealing Trojan that hides its presence on Windows PCs.

More than 7,000 sites have been compromised in this way so far. Among compromised websites there is Hong Kong stock brokerage website (kgieworld.com) and Kodak camera reviews (digitalcamerareview.com). There are also sites of Israel Humanitarian Foundation, London-based Child Rights Information Network, the UK’s West Midlands Local Government Association, and AsiaObserver news portal. All these sites redirect to other domains and lead to the download and execution of http://******gol.com/xx.exe, which is detected as BKDR_HUPIGON.CFV by Trend Micro.

SQL injection vulnerabilities are widely exploited in various websites and used to insert malicious references that redirect users and infect their PCs. Since there are more and more of those attacks reported almost daily, a list of domains used in past and recent massive SQL injections can be very useful for many site owners and users who are trying to research or avoid infections.

Mike Johnson from Shadowserver has published a list that is focused on mass SQL injection attacks and can be used with other generic malware lists from www.malwaredomainlist.com or malwaredomains.com. There is no full proof method to identify if a website or its database has been infected with malicious code. One way of checking it is by searching for the specific malicious domains hosting the JavaScript and pointed out by the malicious references added by mass infection tools.

Here is the list from Shadowserver, updated for September 17:

www.nihaorr1.com
free.hostpinoy.info
xprmn4u.info
www.nmidahena.com
%6b%6b%36%2e%75%73 (kk6.us)
%73%61%79%38%2E%75%73 (s.see9.us)
winzipices.cn
%66%75%63%6B%75%75%2E%75%73 (fuckuu.us)
www.killpp.cn
sb.5252.ws
www.aspder.com
www.11910.net
bbs.jueduizuan.com
www.bluell.cn
www.2117966.net
s.see9.us
xvgaoke.cn
1.hao929.cn
www.414151.com
www.hiwowpp.cn
cc.18dd.net
yl18.net
www.kisswow.com.cn
urkb.net
c.uc8010.com
www.loveqianlai.cn
rnmb.net
www.ririwow.cn
jjmaoduo.3322.org
www.killwow1.cn
www.xiaobaishan.net
www.qiqigm.com
www.wowgm1.cn
www.98hs.ru
mo98g.cn
www.wowyeye.cn
9i5t.cn
c11.8866.org
computershello.cn
www.tlcn.net
www3.800mg.cn
chanm.cn
www.z008.net
abc.verynx.cn
b15.3322.org
www.qiqicc.cn
www.direct84.com
www.heihei117.cn
www.caocaowow.cn
1.verynx.cn
www.qiuxuegm.com
www.wowofmusiopl.com.cn
www.locale48.com
firestnamestea.cn
www.j8j8hei.cn
%61%2E%6B%61%34%37%2E%75%73 (a.ka47.us)
fami4ka.net
www.westpacsecuresite.com
www.supbnr.com
www.redir94.com
www.rexec39.com
%61%31%38%38%2E%77%73 (a188.ws)
www.en-us18.com
www.hitlistesi.com
www0.douhunqn.cn
www.cdport.eu
ck1.in
www.ncb2.ru
www.ujnc.ru
www.adjuncnet.com
www.rundll92.com
www.dbgbron.com
www.sysid72.com
i8jdd.cn
n.uc8010.com
www.libid53.com
www.qiqi111.cn
heartgames.cn
www.logid83.com
www.update34.com
www.bsko.ru
www.datajto.com
www.browsad.com
jjmaobuduo.3322.org
www.adw95.com
tjwh202.162.ns98.cn
www.jetadwor.com
www.aladbnr.com
www.kj5s.ru
www.bnrbasead.com
www.cookieadw.com
www.asslad.com
www.bannerupd.com
nb88.cn
www.clrbbd.com
www.appdad.com
www.bigadnet.com
1.cool0.biz
www.updatebnr.com
flyzhu.9966.org
www.sslnet72.com
www.advertbnr.com
www.script46.com
www.apidad.com
www.loctenv.com
www.fengnima.cn
www.tag58.com
www.banner82.com
www.gitporg.com
smeisp.cn
a814.cn
www.bnradd.mobi
www.brsadd.com
jjmaoduo2.3322.org
www.bosf.ru
hoursebuilds.cn
www.bywd.ru
www.qqcc123.cn
www.hyperadw.com
www.adsitelo.com
www.njep.ru
okey123.cn
www.worldofwarcrokft.com
d.388b.cn
www.adbtch.com
b.kaobt.cn
www.cb3f.ru
www.getadw.com
www.nihao112.com
al.99.vc
www.aidushu.net
www.porv.ru
a.13175.com
www.chliyi.com
free.edivid.info
52-o.cn
www.fucksb.net
www60.actualization.cn
d39.6600.org
www.mainadt.com
www.qq117cc.cn
www.asodbr.com
www.b4so.ru
www.oics.ru
h28.8800.org
l61.3322.org
www.armsart.com
001yl.com
ucmal.com
t.uc8010.com
www.nudk.ru
shygddc.cn
yrwap.cn
www.bjxt.ru
www.ncbw.ru
www2.1000ylc.cn
www.dota11.cn
www.pingbnr.com
www.portadrd.com
www.bnrbtch.com
www.blockkd.com
www.allocbn.mobi
www.o1o2qq.cn
www.bnrcompro.com
y66.us
m11.3322.org
bc0.cn
%33%2E%74%72%6F%6A%61%6E%38%2E%63%6F%6D (3.trojan8.com)
www.ojns.ru
www.blcadw.com
www.clsidw.com
www.adword71.com
killpp.cn
www.bnradw.com
www.ibse.ru
cmiia.com
www.sslput4.com
www.exe94.com
www.adwadb.mobi
www.8hcs.ru
www.bnrcntrl.com
w11.6600.org
usuc.us
www.hlpadw.com
www.bgsr.ru
www.uhwc.ru
www.jumpbnr.com
www.advabnr.com
www.siteid38.com
www.msshamof.com
www.refer68.com
www.google9.info
www.okcd.ru
www.nbh3.ru
www.bluexzz.cn
xunlei.verynx.cn
www.wowgm2.cn
mm.jsjwh.com.cn
newasp.com.cn
www.gty5.ru
www.gty5.ru
www.nwj4.ru
www.catdbw.mobi
www.app52.com
www.asp707.com
%6D%31%31%2E%33%33%32%32%2E%6F%72%67 (m11.3322.org)
chat27.by.ru
www.nudk.ru
www.updatead.com
www.win496.com
usuc.us
www.adwsupp.com
www.juc8.ru
www.cnld.ru
www.jkn3.ru
www.brcporb.ru
www.view89.com
17ge.cn
www.err68.com
ww.xnibi.com
www.upgradead.com
www.adword72.com
kk6.us
www.clickbnr.com
www.117275.cn
c23.2288.org
sysid72.com
www.encode72.com
www.exec51.com
www.pingadw.com
www.lksr.ru
zirvehit.com
www.locm.ru
vb008.cn
www.wow112.cn
www.nihaoel3.com
p060523.info
o7n9.cn
www.rundll841.com
www.jetdbs.com
www.dbdomaine.com
www.domaincld.com
www.clsiduser.com
www.heiheinn.cn
www.coldwop.com
www.alzhead.com
www.chinabnr.com
www.adwbnr.com
www.chkbnr.com
www.chkadw.com
www.apps84.com
www.appid37.com
www.aspssl63.com
www.aspx49.com
www.base48.com
www.batch29.com
www.bin963.com
www.bios47.com
www.hlpgetw.com
www.getbwd.com
www.dbupdr.com
www.lang34.com
www.cid26.com
www.rid34.com
www.tid62.com
www.dl251.com
www.st212.com
www.adwste.mobi
www.bnrupdate.mobi
www.adupd.mobi
www.hdadwcd.com
www.kadport.com
www.suppadw.com
www.web923.com
www.csl24.com
www.get49.net
www.pid72.com
www.pid76.net
www.maigol.cn
www.cntrl62.com
www.config73.com
www.default37.com
www.debug73.com
www.canclvr.com
www.ktrcom.com
www.lokriet.com
www.mainbvd.com
www.portwbr.com
www.stiwdd.com
www.testwvr.com
www.ucomddv.com
www.upcomd.com
www.ausadd.com
www.ausbnr.com
www.crtbond.com
www.destbnp.com
www.gbradp.com
www.gbradw.com
www.usaadp.com
www.usaadw.com
www.usabnr.com
www.adwnetw.com
www.bnsdrv.com
www.butdrv.com
www.cdrpoex.com
www.cliprts.com
www.drvadw.com
www.hdrcom.com
www.loopadd.com
www.movaddw.com
www.nopcls.com
www.pyttco.com
www.tctcow.com
www.bkpadd.mobi
www.destad.mobi
www.porttw.mobi
www.tertad.mobi
www.addrl.com
www.adpzo.com
www.gbradde.tk
www.btoperc.ru
www.grtsel.ru
www.korfd.ru
www.rcdplc.ru
www.adwr.ru
www.bnrc.ru
www.iogp.ru
www.lodse.ru
www.rrcs.ru
www.sdkj.ru
www.sslwer.ru
www.vcre.ru
www.adwbn.ru
www.4cnw.ru
www.90mc.ru
www.d5sg.ru
www.gb53.ru
www.h23f.ru
www.jex5.ru
www.jvke.ru
www.keec.ru
www.keje.ru
www.lkc2.ru
www.5kc3.ru
www.kc43.ru
www.ecx2.ru
www.4vrs.ru
www.9jsr.ru
www.bts5.ru
www.cgt4.ru
www.chds.ru
www.cvsr.ru
www.kgj3.ru
www.jve4.ru
www.ch35.ru
www.kjwd.ru
www.ncwc.ru
www.kodj.ru
www.iroe.ru
www.kpo3.ru
www.nemr.ru
www.bce8.ru
www.pfd2.ru
www.nmr43.ru
www.kr92.ru
www.po4c.ru
www.b4so.ru
www.bjxt.ru
www.bnsr.ru
www.bosf.ru
www.bsko.ru
www.kj5s.ru
www.ncb2.ru
www.njep.ru
www.oics.ru
www.bnsr.ru
www.ba1do.com
sdo.1000mg.cn
cv34.co.uk
db23.co.uk
www.3njx.ru
www.bcus2.ru
www.beyry.ru
www.iopc4.ru
www.iopoe.ru
www.jetp6.ru
www.loopk.ru
www.netr2.ru
www.nucop.ru
www.port04.ru
www.ueur3.ru
www.vj64.ru
www.2b24.ru
www.cg33.ru
www.cv2e.ru
www.cv32.ru
www.mc2n.ru
www.mj5f.ru
www.oc32.ru
www.vswc.ru
www.jic2.ru
www.19ssl.net
www.24aspx.com
www.64do.com
www.aspx46.com
www.22net.ru
www.4net9.ru
www.51com.ru
www.64asp.ru
www.92prt.ru
www.acr34.ru
www.asl39.ru
www.fst9.ru
www.net83.ru
www.sel92.ru
www.mnbenio.ru
www.mnicbre.ru
www.pkseio.ru
www.vtg43.ru

Do not visit those sites, they might infect your system.

Another method based on Google can check if your domain has been compromised and malicious Javascript references have been inserted on your website pages. Simply search by any of the domains in the list adding the Google’s “site:” directive specifying your own domain.

If you know about any other similar resource, or additional domains used to spread malicious code used in SQL injection attacks, please send it to us or post it in comments.

(more…)

Series of mass compromises continue and, according to Trend Micro, just a week after half a million websites were compromised, another mass web SQL injection hit more websites in the Chinese language. This malicious activity deliberately targets users from China, Taiwan, Singapore, and Hong Kong. Currently Google search results show around 300,000 pages that contain the malicious JavaScript code, among them, as usual, many government and educational sites.

Screenshot from Google (do not visit those sites):

Users visiting any of the compromised sites would be infected by a malicious script installed on their system. The script, detected as JS_IFRAME.AC, may be downloaded from the remote site http://s.****.us/s.js.

JS_IFRAME.AC then downloads JS_IFRAME.AD, which exploits several vulnerabilities to further insert scripts in web.The following exploit routines are performed by JS_IFRAME.AD:

1. Exploits a vulnerability in Microsoft Data Access Components (MDAC) MS06-14, which allows for remote code execution on an affected system
2. Uses the import function IERPCtl.IERPCtl.1 or IERPPLUG.DLL to send the shell code to an installed RealPlayer
3. Checks for GLAVATAR.GLAvatarCtrl.1
4. Exploits a BaoFeng2 Storm and MPS.StormPlayer.1 ActiveX control buffer overflow (Chinese-language software)
5. Takes advantage of an ActiveX control buffer overflow in Xunlei Thunder DapPlayer (Chinese-language software)

These vulnerabilities trigger JS_IFRAME.AD to redirect users to one of the following URLs:

http://********.cn/real11.htm - detected as JS_REALPLAY.AT
http://********.cn/real.htm - detected as JS_REALPLAY.CE
http://********.cn/lz.htm - detected as JS_DLOADER.AP
http://********.cn/bfyy.htm - detected as JS_DLOADER.GXS
http://********.cn/14.htm - detected as JS_DLOADER.UOW

Additional detected scripts downloaded by JS_IFRAME.AD are VBS_PSYME.CSZ, JS_VEEMYFULL.AA, JS_LIANZONG.E, JS_SENGLOT.D.

These four malware, in turn, download and execute http://******.52gol.com/xx.exe, which is detected as TROJ_DLOADER.KQK.

The research was conducted by Senior Threat Analyst Aries Hsieh, a team of researchers from Trend Micro and consolidated findings of the Research (Taiwan), Escalation, and Threat Response teams at TrendLabs.

Trend Micro is trying to reach Taiwan CERT to inform them of this mass compromise.

The Asprox botnet, which specializes in sending phishing spam, now using a SQL injection attack tool designed to hack legitimate websites, a move meant to add more hijacked PCs to its collection. According to SecureWorks, the botnet is pushing an update to the infected PCs it controls by sending an executable file, msscntr32.exe, that installs as a Windows service called “Microsoft Security Center Extension”. In reality, the file is an SQL injection attack tool.

After the Asprox botnet seeds its bots with the msscntr32.exe file, the attack tool launches and uses Google’s search engine to find potentially vulnerable website pages. It then hits those pages with a SQL-injection attack and, if successful, plants a malicious IFRAME on the site. Visitors are redirected through a series of malware-hosting servers that try one or more exploits to infect their PC. If that works, a Trojan horse is downloaded and installed on the PC, adding it to the Asprox botnet; those compromised PCs are then used to spew more phishing spam.

So far, Asprox zombies have infected only about 1,000 pages, which carry javascript pointing to sites including direct84.com and adword71.com. In addition to silently feeding end users Asprox malware, the poisoned pages also push malware for a competing botnet known as Cutwail. The sites also try to install WinFixer, a notorious software title that falsely tells users are infected by malware in an attempt to trick them into buying bogus anti-malware products.

Security vendors, including F-Secure Corp. and Symantec Corp., have also uncovered evidence of new waves of SQL-injection attacks. Those firms have been pinning responsibility on Chinese hackers who are compromising legitimate sites to spread malware to steal game passwords.

SQL injection attacks have become widespread as criminals increasingly target legitimate websites, figure out a way to hack them, then plant IFRAMEs on those sites to redirect users to malicious servers. Those servers silently attack visitors’ PCs, often trying multiple exploits, and if one works, they download additional code to the machine to hijack it from its rightful owner and add it to an army of infected systems.

Some analysts have mistakenly concluded that the SQL injection tool is using worm-like tactics. According to SecureWorks, the tool does not spread on its own but relies on the Asprox botnet to propagate to new hosts.

More than half a million websites have been compromised in a new round of attacks that hacked domains in order to infect unsuspecting users’ PCs with a variety of trojans. This ongoing campaign includes new malware hosting domains and new trojans variations. All of the sites are running older or misconfigured versions of “phpBB,” an open-source message forum manager. Open-source popular applications like phpBB tend to be often targeted by mass scanning and exploiting tools.

Visitors to a hacked site are redirected through a series of servers, some clearly compromised themselves, until the last in the chain is reached; that server then pings the PC for any one of several vulnerabilities, including bugs in both Microsoft’s Internet Explorer and RealNetworks RealPlayer media player. If any of the vulnerabilities is present, the PC is exploited and malware is downloaded to it.

Some of the compromised sites have been hijacked before, some had recently been used for keyword search ranking manipulation, and some to serve fake pharmaceuticals spam or malware.

This compromise is almost similar to the mass compromises that we’ve reported earlier. Visiting a compromised site leads to a series of redirections, which eventually causes the downloading of malware. In this case, TROJ_ZLOB.CCW is on the tail-end. This variant poses as a video codec installer.

The Trojans detected are TROJ_DNSCHANG.CS, TROJ_ALUREON.AE, TROJ_ALUREON.AH, TROJ_ALUREON.AI. These types of Trojans are known for changing an affected system’s local DNS and Internet browser settings, thus making the system vulnerable for even more potential threats. It also seems more than just one piece of malware is being served.

The last massive site attack was less than three weeks ago, when sites that included government URLs in the U.K. and some domains operated by the United Nations were hacked. At the time, some researchers said that bugs in Microsoft’s SQL Server or Internet Information Services server software were to blame. A few days later, however, Microsoft denied responsibility.

According to Trend Micro, site infections will not stop anytime soon. As long as attacks are tied to site development and as long as sites don’t secure their content, there will be more attacks of this kind.

Users are advised to display extra caution when browsing Web sites, and ensure their security software is up to date.
(more…)

Another SQL Injection worm is on the loose with about 4,000 websites infected since mid-April or a bit earlier. Right now it is unclear how do attackers access the databases, but what they are doing is putting in some scripts and IFRAMEs to take over and redirect visitors to PC infecting websites. The infection of user machines is by Real Player vulnerabilities. Those vulnerabilities are patched and detected by anti-viruses.

The script source that is injected into webpages is winzipices.cn/1.js (or 2.js, 3.js, 4.js, 5.js). This, in turn, points to a corresponding .asp page on the same address. This in turn points back to the exploits from cnzz.com or the 51.la. The cnzz.com (s141.cnzz.com) domain looks like it could be set up for single flux, but it’s the same pool of IP address all the time right now. The www.51.la just points to 51la.ajiang.net which has a short TTL, but only one IP is serving it.

According to researchers from ShadowServer, visiting a website injected with winzipices.cn 1.js, 2.js, 3.js, 4.js, or 5.js results in the following set of requests:

a direct link to the malicious binary at hxxp://61.188.38.158/images/test.exe, older RealPlayer Exploit in ierpplug.dll, recent RealPlayer exploit against CLSID 2F542A2E-EDC9-4BF7-8CB1-87C9919F7F93, recent RealPlayer exploit against CLSID 2F542A2E-EDC9-4BF7-8CB1-87C9919F7F93 (only for IE7 users).

It would appear that successful exploit attempts would result in a file called “test.exe” being download from 61.188.38.158. This just so happens to be the name of the file that was used in the recent attacks involving “nihaorr1.com”. However, these are very different binaries.

The malware installed is password stealer that would grab credentials from systems running Internet Explorer. The binary that is download by this attack appears to be part of a kit from Chinese malware family. The first thing this malware does once installed is download a configuration file. This configuration file has several commands and tells the system what to do next.

The malware is downloaded from http://61.188.38.158/images/test.exe and then once installed makes the following requests back to winzipices.cn:

hxxp://winzipices.cn/config.txt - GET request for the configuration file
hxxp://winzipices.cn/1.exe - GET requests for a binary to download and execute
hxxp://winzipices.cn/tong/post.asp?anyehorse=COMPUTER_NAME - GET request to report in the system name

The file 1.exe that is then installed from this trojan makes continuous outbound requests to 61.134.37.15 on port 1800.

Malware Binaries:

File MD5: 8ca53bf2b7d8107d106da2da0f8ca700 (test.exe) File Size: 28301 bytes

File MD5: 5c9322a95aaafbfabfaf225277867f5b (1.exe) File Size: 38400 bytes

Blocking access to the malicious domains and sites is recommended. Using a content filter, changing DNS entries, and blocking IP addresses are all valid methods. The malicious sites/IP addresses involved in this attack:

winzipices.cn [60.191.239.229]
61.188.38.158
61.134.37.15

Note that blocking by IP address could potentially block other legitimate pages on the host (not likely in this case). It’s also generally only valid or helpful for a short period of time as attackers frequently change both IP addresses and domain names.

Some attacks are also connected to SQL Worm from bbs.jueduizuan.com.

Users are advised not to visit the links and URLs mentioned above to avoid possible infection.

Security researchers from BitDefender have recently discovered a complex spamming scheme that hijacks PCs in order to attempt to send junk mail via university and military systems. Researchers said the scheme, based on a backdoor called Edunet, was one of the most complicated they’ve come across.

The interesting thing about Edunet is that these mail servers are mostly in the .edu (educational) and .mil (military) domains. On these servers the botnet looks for open relays - a type of misconfiguration often used by spammers to disguise the real origins of the junk mail. While the list of targets has remained fixed, the botnet takes its commands from a list of servers that is constantly changing, making it difficult to pin down where the commands are coming from.

The scam starts with junk emails that offer links to videos. When a user clicks on the link he is prompted to download a “media player” - something that should in itself ring alarm bells, since most videos currently use players embedded in a web page or in the operating system itself. The “media player” download is in fact the Edunet backdoor, which creates a botnet used to attempt to send spam via a list of mail servers.

So far, the scheme doesn’t seem to have been very effective, since none of the targeted servers actually host open relays.

The mass infection that’s injecting attack code into hundreds of thousands of reputable web pages has infiltrated the website of the Department of Homeland Security.

This latest attack is notable for its ability to infect huge numbers of pages using only a single string of text. At time of writing, Google searches showed almost 560,000 pages containing the infection string, though the exact number changes almost constantly. As the screenshot below shows, even the Department of Homeland Security, which is responsible for protecting US infrastructure against cyber attacks, wasn’t immune. Other hacked sites include those belonging to the United Nations and the UK Civil Service.

The attack causes infected sites to redirect visitors to destinations that attempt to install malware on vulnerable machines. At time of writing, the malicious payloads attacked vulnerabilities that already have been patched. And in any case all three of the redirection sites were down, possibly because they were unable to handle the demand. But should the attackers get their hands on a newer exploit - say, one targeting a zero-day vulnerability in QuickTime - it would be relatively easy for them to swap out the payload.

One reason the infection has spread so widely is the attackers have managed to find a single attack string that seems to work on tens of thousands of different sites. The script is also notable for its ability to slip past web application defenses. The SQL query is mostly made up of HEX code, allowing it to obscure itself, at least to apps that use Microsoft SQL. MySQL and PostgreSQL are less easily fooled, according to researcher Ronald van den Heetkamp.

Sites are getting hacked because they fail to sanitize user supplied data. So far Department of Homeland Security has not commented on this issue.

Do not visit the infected websites addresses presented in this article or Google search results.

Large numbers of legitimate Web sites, including government sites in the U.K. and some operated by the United Nations, have been hacked and are serving up malware as massive JavaScript attacks last detected in March resume. The same techniques as last month are used and among the sites hacked were several affiliated with either the UN or U.K. government agencies.

The exact number of sites that have been compromised is unknown but the estimation is that it’s similar to the March attacks, which at their height infected more than 100,000 URLs, including prominent domains such as MSNBC.com. Although the U.K.-based sites appeared to have been cleansed of the malicious JavaScript, the UN sites had not.

The attackers have now switched over to a new domain as their hub for hosting the malicious payload in this attack. Although the malware-hosting domain has changed, it’s located at a Chinese IP address, just like the one used in March. It also looks like they’re using just the one hosting site, but changing the link within the JavaScript. When a visitor reaches one of the hacked sites, the malicious JavaScript loads a file from the malware-hosting server, then redirects the browser to a different page, also hosted on the Chinese server. Once loaded, the file attempts eight different exploits, including one that hits a vulnerability in Internet Explorer’s handling of Vector Markup Language (VML) that was patched in January 2007.