Increasing Number Of Websites Infected With Troj/Unif-B
An increasing number of sites compromised with a malicious script detected as Troj/Unif-B has been noticed over the past few weeks by SophosLabs.
Since March 1st 2008, almost 11,000 pages compromised with Troj/Unif-B, split across approximately 4,500 different domains. That is a fair amount of activity, around 150 new domains daily.
For 4,500 compromised domains, these targets fall into two categories. First, additional attack sites. Some other site which hits the victim with exploits. Second, redirect or “control” sites. Some other site, controlled by the attacker, which can be used to direct traffic. Typically, these sites direct victims to one of several other attack sites although there may be several redirects in use.
Among other attack vectors there are a few noticeable:
1. Installing various malware including Mal/Dropper-T, Mal/EncPk-CM and Mal/EncPk-CO.
2 .Redirect sites under the control of a large and well coordinated group. Numerous domains have been used by this group in recent months to install a variety of Dorf, Tibs and other malware.
3. Load exploits intended to install a member of the Mal/Zbot family.
4. Point to a single GPack attack site, which installs malware detected as Mal/Emogen-Y.
About 70% of compromised domains point to the GPack attack site are hosted by the same ISP. The same is true for some of the other attacks listed above since targeting server farms is an effective strategy for the attackers.
The grouping within the compromised pages reflects the coordinated attacks that are taking place. Also not surprising are the relationships between some of the groups. It is not unlikely that these sites could be used to make money by selling “traffic flow” since attackers often paying for victims to be directed to their attack sites for a period of time.
More on CyberInsecure:
Leave a Reply
Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.