14 DAY TRIAL // Security researchers warn that a recently published exploit for a vulnerability in Webalizer might be used to inject malicious code into tens of thousands of legitimate websites. The compromised URLs are redirecting to other websites serving malware and attempting to exploit unwary visitors.
The Threat Prevention Team of network security solution provider eSoft has been tracking this mass compromise attack and reports that infection rate was increasing by several hundred new web pages per hour during last week.
The compromised URLs are of the form http://www.example.com/webalizer/050709wareza/crack=28=keygen=serial.html and display spam text and images, as well as links to other malicious websites. Some of these websites are packed with exploits for vulnerabilities in popular applications, which attempt to infect with malware.
One of the rogue files dropped if exploitation is successful is an installer for a banking Trojan, which has very low AV detection rates. "Around 1/3 of the compromised sites include a Webalizer directory, which may indicate a correlation with a recently published webalizer exploit. This exploit allows an attacker to execute arbitrary code, often with elevated privileges," warns Lee Graves, Senior Technical Support Engineer at eSoft.
Webalizer is a rather popular free web server log analysis program, which helps webmasters generate statistics about the traffic on their sites. The application comes installed by default with many shared hosting packages and is available in most web hosting control panels.
The company notes that Google's Safe Surf feature does not have these malicious URLs blacklisted and neither do other web filtering applications from vendors such as Normal or McAfee. "It is recommended that administrators configure webalizer to not do reverse DNS lookups until a patch is released," advises Mr. Graves.
Exploiting vulnerabilities in popular applications is currently a very common attack vector used by cybercrooks to deliver malware. The technique is called a drive-by download and has been proven to be highly successful because computer users generally fail to deploy security updates for software installed on their computers.