Vulnerable visitors get infected with backdoors and info stealing trojans

Aug 25, 2009 09:52 GMT  ·  By

Security researchers advise that a new mass compromise attack is underway and has affected over 62,000 URLs to date. A rogue IFrame injected into the compromised Web pages loads a cocktail of exploits and malware from other domains.

Web security company ScanSafe has been monitoring this new threat and advises that the infection pattern is a hidden IFrame loading JavaScript content from a domain called a0v.org. A Google search for "script src=http://a0v.org/x.js" reveals 62,100 results.

Mary Landesman, a senior security researcher at ScanSafe, has told The Register that the infections are the result of SQL injection attacks. The x.js called from a0v.org has the role of loading exploits from a number of seven other domain names. At the moment of writing this article, Google's Safe Browsing was tagging a0v.org as malicious.

"The malware hosting domains were registered on or after August 3, 2009 and include: ahthja.info, gaehh.info, htsrh.info, car741.info, game163.info, car963.info, and game158.info. The most prolific observed by ScanSafe thus far has been ahthja.info," Mary Landesman writes on the company's blog.

If exploitation is successful, several malware installers are dropped and executed onto the victim's computer as drive-by downloads. The security researcher warns that "post infection, additional malware may also be downloaded" from a different host. The exploits target vulnerabilities in popular software, including Internet Explorer, Mozilla Firefox, Adobe Flash Player, Adobe Reader and Acrobat or Avast! Antivirus. AV detection rates for the malicious executables downloaded during the attack range from poor to moderate on Virustotal.

This sort of malware distribution attacks, which involve exploit cocktails, are popular with cybercrooks because end users have historically proven a failure to deploy security patches for software installed on their computers. Just recently, we reported on a similar mass web compromise campaign discovered by network security company eSoft. The point of entry for those attacks seems to be a buffer overflow vulnerability in Webalizer, a popular program for generating web statistics.