CyberInsecure.com

Daily cyber threats and internet security news: network security, online safety and latest security alerts
June 9th, 2010

Thousands Of High-Ranked Webpages Infected With Malware, Including Intljobs.org, WSJ.com, tomtom.com.tw

More than 100,000 webpages, some belonging to newspapers, police departments, and other large organizations, have been hit by an attack over the past few days that redirected visitors to a website that attempted to install malware on their machines.

The mass compromise appears to have affected sites running a banner-ads module on top of Microsoft’s Internet Information Services using ASP.net, said David Dede, head of malware research at Sucuri, a website monitoring firm. Intljobs.org, The Wall Street Journal’s wsj.com, The Jerusalem Post, tomtom.com.tw and the police department website for UK county of Strathclyde have been hacked.

Google searches on Tuesday indicated more than 100,000 pages were infected, Dede said, but that number had shrunk to about 7,750 at time of writing.

The sites were infected using SQL injection exploits, which allow attackers to tamper with a server’s database by typing commands into search boxes and other user-input fields. The hackers used the exploit to plant iframes in the compromised sites that redirected visitors to robint.us. Malicious javascript on that site attempted to infect end users with malware dubbed Mal/Behav-290 according to anti-virus firm Sophos.

Robint.us has been disabled, thanks to a sinkholing effort carried out by volunteer security outfit Shadowserver Foundation. The action will allow Shadowserver researchers to get a complete list of compromised sites and to gather additional information about how the attack was carried out, spokesman Andre’ M. Di Mino said in an email. He said the details would be published soon.

The SQL injection attacks came from Chinese IP address 121.14.154.69, Dede said. Robint.us was registered to a Dongguan Wanjian of Dongguan, China, according to whois records. Dede said he is still trying to determine the module that is being compromised in the mass hack attack.

Credit: The Register

Share this item with others:

More on CyberInsecure:
  • Almost 300,000 Webpages Infect Visitors Through Invisible IFrame Link
  • Thousands Of Sites Infected In Renewed SQL Injection Attacks
  • Hijacked High-Ranked Sites Serve Malicious, Illegal Content, Blacklisted By Google
  • Asprox Botnet Mass Attack Hits Governmental, Healthcare, and Top Business Websites
  • Automated Malware Attacks Hit Facebook, CAPTCHA Possibly Cracked

    • Posted in Breaches And Incidents, Cybercrime, Hacked, Malware, Mass Web Attacks, Microsoft, Software, SQL Injections, Vulnerabilities | Print This Post Print This Post

    This entry was posted on Wednesday, June 9th, 2010 at 12:41 pm and is filed under Breaches And Incidents, Cybercrime, Hacked, Malware, Mass Web Attacks, Microsoft, Software, SQL Injections, Vulnerabilities. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

    If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Thousands Of High-Ranked Webpages Infected With Malware, Including Intljobs.org, WSJ.com, tomtom.com.tw

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    *
    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.

    « «
    » »