More than half a million websites have been compromised in a new round of attacks that hacked domains in order to infect unsuspecting users’ PCs with a variety of trojans. This ongoing campaign includes new malware hosting domains and new trojans variations. All of the sites are running older or misconfigured versions of “phpBB,” an open-source message forum manager. Open-source popular applications like phpBB tend to be often targeted by mass scanning and exploiting tools.
Visitors to a hacked site are redirected through a series of servers, some clearly compromised themselves, until the last in the chain is reached; that server then pings the PC for any one of several vulnerabilities, including bugs in both Microsoft’s Internet Explorer and RealNetworks RealPlayer media player. If any of the vulnerabilities is present, the PC is exploited and malware is downloaded to it.
Some of the compromised sites have been hijacked before, some had recently been used for keyword search ranking manipulation, and some to serve fake pharmaceuticals spam or malware.
This compromise is almost similar to the mass compromises that we’ve reported earlier. Visiting a compromised site leads to a series of redirections, which eventually causes the downloading of malware. In this case, TROJ_ZLOB.CCW is on the tail-end. This variant poses as a video codec installer.
The Trojans detected are TROJ_DNSCHANG.CS, TROJ_ALUREON.AE, TROJ_ALUREON.AH, TROJ_ALUREON.AI. These types of Trojans are known for changing an affected system’s local DNS and Internet browser settings, thus making the system vulnerable for even more potential threats. It also seems more than just one piece of malware is being served.
The last massive site attack was less than three weeks ago, when sites that included government URLs in the U.K. and some domains operated by the United Nations were hacked. At the time, some researchers said that bugs in Microsoft’s SQL Server or Internet Information Services server software were to blame. A few days later, however, Microsoft denied responsibility.
According to Trend Micro, site infections will not stop anytime soon. As long as attacks are tied to site development and as long as sites don’t secure their content, there will be more attacks of this kind.
Users are advised to display extra caution when browsing Web sites, and ensure their security software is up to date.
Recently testking has laid a lot of stress on students preparing for 350-018 and 70-297 to prepare against viral attacks as well. A 640-816 professional as well as a 156-215 professional knows well about the measures and those in 70-648 also have an idea.
More on CyberInsecure: