Websense Security Labs has found similarities between a current epidemic of malicious JavaScript injection and one that occurred at the start of the month. The previous attack had compromised thousands of domains.
Websense says the attackers have now switched over to a new domain as their hub for hosting the malicious payload in this attack with the number of compromised sites having increase by a factor of ten in a few hours.
When a user browses to a compromised site, the injected JavaScript loads a file named '1.js', which is hosted on 'http://www.nihao[removed].com'
The JavaScript code then redirects the user to '1.htm' (also hosted on the same server). Once loaded, the file attempts 8 different exploits (the attack last April utilized 12). The exploits target Microsoft applications, specifically browsers not patched against the VML exploit MS07-004 as well as other applications. Files named 'McAfee.htm' and 'Yahoo.php' are also called by '1.htm' but are no longer active at the time of writing.
There are further similarities between the two mass attacks. Resident on the latest malicious domain is a tool used in the execution of the attack. It appears that same tool was used to orchestrate this attack too.
According to Websense, when it first started tracking the use of this domain, the malicious JavaScript was still making use of 'http://www.nmida[removed].com/:'
Now the attackers are referring to a file hosted on the new domain of 'http://www.nihao[removed].com:'
Sites of varying content have been infected including UK government sites, and a United Nations website. The number of sites affected is in the hundreds of thousands, says Websense.
Related links:
No comments:
Post a Comment