Dozens of Web sites spread malicious Trojan

By Eric B. Parizo, Site Editor 05 Feb 2007 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Web sites victimized The following Web sites were among those compromised, according to SANS ISC: https://www.massgeneral.org mhmonline.com www.citruscollege.edu www.stariq.com www2a.cdc.gov www.surfersvillage.com www.citrus.cc.ca.us 207.178.138.47 www.nlgaming.com www.arcchart.com www.me-uk.com www.olympusamerica.com www.cabi-publishing.org www.imo.org www.pathnet.org www.vcuhealth.org www.medcompare.com ymghealthinfo.org www.zeenews.com www.pharmabrandeurope.com www.infogrip.com totallydrivers.com www.ajr.org www.offshore247.com www.massgeneral.org www.nlgaming.com www.scif.com www.speroforum.com www.betterpropaganda.com www.youandaids.org www.cottagesdirect.com www.plasticsmag.com www.healthy.net www.irinnews.org www.pubapps.vcu.edu www.generousgiving.org www.doctorndtv.com www.mcv.org www.vcuhs.org www.nordic-telecom.com www.betterpropaganda.com www.nationalmssociety.org www.nmss.org cityofboston.gov scif.ca.gov wanniski.com www.wilson.edu Source: SANS ISC

Friday, San Diego-based Websense Inc.'s Security Labs unit discovered that attackers had successfully compromised the Web site of Miami's Dolphin Stadium, home of last Sunday's Super Bowl XLI.

Over the weekend, Websense and researchers at the Bethesda, Md.-based SANS Internet Storm Center (ISC) discovered that dozens of additional Web sites had been compromised in the same manner, including high-profile sites belonging to organizations such as Massachusetts General Hospital, Olympus America Inc., the American Journalism Review, the National Multiple Sclerosis Society and the city of Boston.

In all, at least 50 Web sites were victimized, several of which had been compromised as far back as early January. However, Johannes Ullrich, chief research officer of the SANS ISC, confirmed that all of the high-profile sites were fixed over the weekend and they no longer pose a danger to visitors.

As was the case in the Dolphin Stadium hack, a malicious JavaScript keylogger file had been inserted into each Web site's front page header. Upon visiting the site, the script executed and attempted to download a malicious backdoor Trojan that exploited two known Microsoft vulnerabilities: MS06-014 and MS07-004.

Ullrich said the malicious Trojan originated from a domain in China, which has also been terminated. He said early evidence suggests that the likely culprit may be a Chinese gold farming syndicate linked to the online role-playing game World of Warcraft.

"It almost looks like this Chinese group had a script that looked for a particular vulnerability in an order of mass on all these sites," Ullrich said.

"There was nothing interesting about the downloader or the password stealer. They were old, uninteresting pieces of malware," said David Marcus, McAfee Inc. security research and communications manager. "But their choice of Web site (Dolphin Stadium) to host it on was quite clever."

Dan Hubbard, vice president of security research for Websense, said his organization stumbled upon the Dolphin Stadium Web site exploit when its customers called inquiring as to why its security software was automatically blocking that site.

Hubbard said that as of Sunday night, Websense's research indicated that there were about 10 known compromised sites that had not yet been repaired, none of which were considered high profile. Now that the Chinese domain spreading the Trojans has been removed from the Internet though, he said the threat is significantly mitigated.

"The Chinese domain was taken down, and though it did come back up a couple times in different locations with different IP addresses, the issue has now been taken care of at an IP level, so I wouldn't say there's any kind of elevated risk."

A spokeswoman for Massachusetts General Hospital, which operated one of the reportedly compromised domains, said the organization's Web site administrators were unable to confirm the attack after examining the site's logs; two other organizations with affected Web sites did not return calls. A representative for the city of Boston was unable to confirm that its site was affected.

SANS ISC is investigating exactly what may have enabled so many Web sites to be compromised. Ullrich said his organization is working to determine whether each site had been running an unpatched version of Microsoft's Internet Information Server (IIS) software. However, he said there could be other factors involved.

"We're also looking at the apps on the servers," Ullrich said. "It could also be that they have some common content management system installed. We don't know yet."

Virtualization seemed to complicate the issue for some, as some of the victims had multiple domains compromised because its Web pages were hosted on the same server. "It wasn't like there were five or six servers compromised," Hubbard said. "A couple servers had multiple sites hosted on them. One was compromised that had virtual hosts on it."

Hubbard said Websense has attempted to contact a number of the additional organizations whose Web sites have been affected, but contacting the appropriate personnel in each organization is challenging.

"One of the great things about the Web is that you can put up a Web site in 15 minutes," Hubbard said, "but one of the bad things about the Web is that people often do that and don't understand security. It's not like you can always pick up the phone and find the person who runs each Web site."

Making matters worse, Ullrich said it's possible that more Web sites have been compromised, but have not yet been discovered. Still, Ullrich said organizations can remain safe as long as they take measures to block the Chinese domains from where the malware originated.

Hubbard said this incident serves as a lesson that most of these types of exploitations are avoidable by keeping software patches updated and diligently maintaining a log of Web site configuration changes.

Information Security magazine Features Editor Marcia Savage contributed to this report.

Tags: Malware, Viruses, Trojans and Spyware,  Hacker Tools and Techniques: Underground Sites and Hacking Groups,  Web Server Threats and Countermeasures,  Web Application and Web 2.0 Threats,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Malware, Viruses, Trojans and Spyware Schneier-Ranum Face-Off: Is antivirus dead? Modern malware, stealthy botnets, adapt quickly, expert says Computer worm infections up, scareware antivirus down, Microsoft says Web-based attacks skyrocket, pirating sites surge, security firms say Mini guide: How to remove and prevent Trojans, malware and spyware Kaspersky system analyzes malicious URLs on Twitter for malware Silon malware intercepts Internet Explorer sessions, steals credentials Breach forces payroll service provider PayChoice to shut down again RSA research underscores problem tracking cybercriminals Conficker analysis finds P2P coding limited, less sophisticated Hacker Tools and Techniques: Underground Sites and Hacking Groups Metasploit Project acquisition ups ante for penetration testing market Successful rogue antivirus hinges on social engineering DEFCON survey suggests hacker community on vacation DoD urges less network anonymity, more PKI use New hacker skills optimize revenue Maturing cybercriminal economy buoyed by business savvy hackers Juniper pulls ATM hacking presentation from Black Hat Botnet platform helps cybercriminals bid for zombie PCs Man pleads guilty in online banking hacking scam ATM malware lets attackers take over machines Web Server Threats and Countermeasures VeriSign extends DDoS attack protection service Microsoft issues IIS FTP advisory, exploit code circulates Panda reports fast-spreading rogueware antivirus fraud rakes in millions Oracle issues quarterly patches, fixes database flaws Latest DDoS attacks extremely unsophisticated, experts say Stolen FTP credentials likely in massive website attacks Microsoft warns of IIS zero-day vulnerability How to find and stop automated SQL injection attacks How to spot attacks through Apache Web server log analysis Symantec acquires Mi5 Networks, bolsters Web security

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm  (SearchSecurity.com) directory traversal  (SearchSecurity.com) government Trojan  (SearchSecurity.com) Kraken  (SearchSecurity.com) man in the browser  (SearchSecurity.com) polymorphic malware  (SearchSecurity.com) RAT (remote access Trojan)  (SearchSecurity.com) RavMonE virus  (SearchSecurity.com) RFID virus  (SearchSecurity.com) Rock Phish  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary