Daily cyber threats and internet security news: network security, online safety and latest security alerts
March 30th, 2008

Increasing Number Of Websites Infected With Troj/Unif-B

An increasing number of sites compromised with a malicious script detected as Troj/Unif-B has been noticed over the past few weeks by SophosLabs.

Since March 1st 2008, almost 11,000 pages compromised with Troj/Unif-B, split across approximately 4,500 different domains. That is a fair amount of activity, around 150 new domains daily.

For 4,500 compromised domains, these targets fall into two categories. First, additional attack sites. Some other site which hits the victim with exploits. Second, redirect or “control” sites. Some other site, controlled by the attacker, which can be used to direct traffic. Typically, these sites direct victims to one of several other attack sites although there may be several redirects in use.

Among other attack vectors there are a few noticeable:

1. Installing various malware including Mal/Dropper-T, Mal/EncPk-CM and Mal/EncPk-CO.
2 .Redirect sites under the control of a large and well coordinated group. Numerous domains have been used by this group in recent months to install a variety of Dorf, Tibs and other malware.
3. Load exploits intended to install a member of the Mal/Zbot family.
4. Point to a single GPack attack site, which installs malware detected as Mal/Emogen-Y.

About 70% of compromised domains point to the GPack attack site are hosted by the same ISP. The same is true for some of the other attacks listed above since targeting server farms is an effective strategy for the attackers.

The grouping within the compromised pages reflects the coordinated attacks that are taking place. Also not surprising are the relationships between some of the groups. It is not unlikely that these sites could be used to make money by selling “traffic flow” since attackers often paying for victims to be directed to their attack sites for a period of time.

Share this item with others:

More on CyberInsecure:
  • Number Of Infected Websites Almost Doubled During The Second Quarter
  • AVG Free Security Scanner Goes Multi-Lingual
  • Increasing Number Of Warcraft Players Attacked By Password Stealing Malware
  • SQL Attacks Still Inject Websites Including Government Sites In US, UK
  • Mass Web Infections Spike To 6 Million Pages In 640,000 Sites

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Increasing Number Of Websites Infected With Troj/Unif-B

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.