40,000 sites hit by PC-pwning hack attack

Status
Not open for further replies.

naveen_reloaded

!! RecuZant By Birth !!
i dont know about u guys..

but for the last two days .. my connection is being crappy..


it could be due to this .. i dont know... :?:



More than 40,000 websites worldwide have fallen under the spell of a sneaky piece of attack code that silently tries to install malware on the machines of people who visit them, security experts from Websense have warned.
The mass attack has been dubbed Beladen because beladen.net is one of the internet domains used to unleash a swarm of exploits that target unpatched vulnerabilities in the Internet Explorer and Firefox browsers and programs such as Apple's QuickTime. It plants highly obfuscated javascript on the bottom of websites that's slightly different each time, making it impossible to spot infected sites using search engines.


The compromised websites are operated mostly by smaller businesses and government agencies, and so far Websense researchers have been unable to identify a common component that is being targeted. That leaves them guessing that the sites were penetrated by sneaking key-logging programs onto the PCs of people who maintain the sites, Stephan Chenette, manager for security research at Websense, told The Register.
"It's all that we can assume because there is no common injection amongst all these 40,000" sites, Chenette explained. "The only other possible explanation is the website owners have basically had their FTP credentials or account credentials compromised."
(One website owner offers a PDF here containing details of the infection hitting his Linux system running the Apache webserver).
It remains unclear how many end users are being affected, however. Mary Landesman, a researcher at ScanSafe, said less than 0.03 percent of its customer base tried to visit a site infected by Beladen in the entire month of May. That compares with more than 37 percent of its customers trying to visit sites hit by another mass infection that goes by the name Gumblar. Like Beladen, it attempts to install malware on the PCs of people visiting affected sites.
But that doesn't mean Beladen isn't important. Beyond it's demonstrated ability to sneak itself onto so many webservers, it's also notable because the attack bears the hallmarks of Russian mobsters. Before users are redirected to beladen.net, they are taken to one or more other addresses such as googleanalytlcs.net (note that "analytlcs" is spelled with an l instead of an i), which are attack sites designed to appear connected to Google Analytics.
Those same sites have been used in the past by the cybercriminals known as the RBN, or Russian Business Network, Chenette said. The group is known for producing highly sophisticated malware and offering a network of highly reliable webservers and other infrastructure used to deliver potent attacks. It has largely stayed out of the public eye since being outed in a series of articles by The Washington Post. Beladen may be a sign that the RBN is taking a more active role again.
Beyond that, it's clear the attackers have taken painstaking steps to ensure the stealth of Beladen. In addition to javascript that is put through multiple layers of obfuscation, the attackers have also covered their tracks by shunting victims through a series of intermediary servers before arriving finally at beladen.net. In an attempt to thwart researchers, the servers check the previous site visited to make sure visitors have been referred by compromised server.
Finally, when we last wrote about this infection Friday, it had hit about 30,000 sites. It's ability to grow by a third in less than 72 hours is worth taking seriously.
Sadly, Websense has had little success reaching the owners of the compromised websites.
"Half of the websites that have email addresses listed don't respond to any security notification," Chenette said. "Many users think they can throw up a website and that's the end of the day. They have to be more responsible in understanding that they have to protect the users of that site and the content."
Website owners who suspect they have been hacked should inspect the source code on the site's front page. If there's a block of strange-looking code that mysteriously showed up recently, there's a decent chance it's Beladen. ®



*www.theregister.co.uk/2009/06/02/beladen_mass_website_infection/
 

Pratul_09

Journeyman
Its true man, in todays world javascripts vulnerabilities are exploited by some hackers to cause harm to the community at large both financially and socially. Check this out

www.freshwap.net/forums/applications/17722-jetbrains-resharper-4-1-933-a.html

Note : This may be dangerous and you may get infected.
 

Pratul_09

Journeyman
Its true man, in todays world javascripts vulnerabilities are exploited by some hackers to cause harm to the community at large both financially and socially. Check this out

www.freshwap.net/forums/applications/17722-jetbrains-resharper-4-1-933-a.html

Note : This may be dangerous and you may get infected.
 

iinfi

mekalodu
is it possible for a hacker to run malicious scripts on a linux server even without knowing the root or user password of a linux system?
any file which is copied from a remote system doesnt have execute (x) privileges! in such a scenario how do scripts get run on the remote machine?

moved as question here *www.thinkdigit.com/forum/showthread.php?p=1124244#post1124244
 
Last edited:

mediator

Technomancer
iinfi said:
is it possible for a hacker to run malicious scripts on a linux server even without knowing the root or user password of a linux system?
any file which is copied from a remote system doesnt have execute (x) privileges! in such a scenario how do scripts get run on the remote machine?
Not until the apache server is run as root itself. Further there is a constraint of "documentroot" and then if SElinux is enabled (linux server) then it further limits the scope of damage. Chroot jails for ftp might come in handy too.

The remote machines usually means windows machines. The compromised servers here means "Apache server". Apache is a software that might be running on any platform e.g linux/bsd/windows etc.

The cause of compromise of the server is given in the report. The report has been given by some website owner, containing details of the infection hitting his Linux system "running the Apache webserver".

AFAIk, there is no such option in javascript that can change the permissions on linux sytems for that would clearly be identified as a major risk. Only server side scripting can execute command line stuff. Firefox is a browser not a server like apache.

PS: Just went to the source site of the infections, seems firefox (v 3.0.10) was trying to block this site. :D
 

NucleusKore

TheSaint
Even if it affects Firefox on linux remember that by it's not running with root privileges on most distros.
And then there's No Script for Firefox on both Windows and Linux :D
 
Status
Not open for further replies.
Top Bottom