http://www.pcworld.com/article/id,141544-page,1/article.html
Hack Attack Hits 10,000 Web Sites
Infected sites feed exploits to visitors--and more sites are affected
than first suspected.
Gregg Keizer, Computerworld
Friday, January 18, 2008 3:50 PM PST
A large-scale hack of legitimate Web sites to infect visitors' PCs is
much more massive than first thought, researchers said Friday. At least
10,000 sites have been compromised, and have hijacked unpatched systems
that steered to their URLs.
On Monday, Mary Landesman, a senior security researcher at ScanSafe Inc.,
said that she had uncovered hundreds of sites which had been hacked and
were feeding exploits to visitors. Friday, Don Jackson, a senior
researcher with Atlanta-based SecureWorks Inc., said the number was
considerably larger.
According to ScanSafe's data, approximately 10,000 sites hosted on Linux
servers running Apache, the popular open-source Web server software, have
been hacked, most likely with purloined log-in credentials. Those servers
have been infected with a pair of files that generate constantly-changing
malicious JavaScript. When visitors reach the hacked site, the script
calls up an exploit cocktail that includes attack code targeting recent
QuickTime vulnerabilities, the long-running Windows MDAC bug, and even a
fixed flaw in Yahoo Messenger.
If the visitor's PC is unpatched against any of the nine exploits Jackson
listed, it's infected with new variant of Rbot, the notorious backdoor
Trojan he called "a very nasty piece of software." The end result: The PC
is added to a botnet.
Jackson's can't prove how the sites were originally hacked, but all the
evidence points to the theft of log-on credentials; one reason why he
came to that conclusion is that hosts that have been cleaned of the
infection -- or in some cases even had Linux reinstalled -- are quickly
reinfected.
"There was no sign of brute forcing [of passwords] just prior to the
infection," said Jackson, "but attackers hosting companies are hit all
the time with password attacks. It's part of doing business."
Earlier in the week, Landesman of ScanSafe drew a link between the
security breach at U.K.-based Fasthosts Ltd., that country's largest Web
hosting vendor, and the site hacks, saying then that the domains ScanSafe
had found infected had, or had recently had, a relationship with
Fasthosts.
Fasthosts denied such a cause-and-effect, and cited what it called
"technical discrepancies" with Landesman's claims, but said it was
investigating nonetheless.
Friday, Landesman said more data during the week had made her change her
mind about the link to Fasthosts. "There are a great deal more of these
[compromised] sites than earlier," she said Friday. "There are a number
of them that can be traced to Fasthosts, but not all of them do."
Like Jackson, Landesman remained convinced that the hacks were possible
because of stolen log-on usernames and passwords. "From everything we
have it does point to some kind of compromise of usernames and
passwords," she said. "My theory remains that the eventual source of the
compromise is going to be a fairly finite number [of hosting companies]."
Jackson stressed that while the site hacks were done sans a true
vulnerability, the Apache feature used by the hackers -- "dynamic module
oading" -- is little known by most site administrators, making it extra
difficult for all infected sites to cleanse themselves.
More to the point, said Jackson, administrators must change every
password on the infected server; failing to do so has led to quick
reinfections on some hosts. "All passwords must be changed," he said,
"not just FTP and Cpanel passwords." There's some evidence, he said, that
other passwords besides those for FTP and Cpanel -- a popular server
control panel program -- have been used to access the hacked sites.
Other clues led Jackson to speculate that the attackers are not the usual
cyber criminals based in Russia or China, but are likely from North
America or western Europe. The code for the hacking and file upload tools
lack any comments written in Russian or Chinese, which is normally the
case when an attack originates in Russia or China. Instead, the comments
and code snippets are in English only. "Almost all the hacking business
in western Europe is done in English," Jackson said, mentioning Germany
specifically.
Users can protect themselves from attack by making sure all software on
their systems is patched and that their security software signatures are
up-to-date. Web site administrators, on the other hand, should disable
dynamic loading in their Apache module configurations.
.
|
