by Andy Greenberg, Aug. 16, 2010
Cybercriminals tend to seek economies of scale: the easiest attack with the largest number of victims. Now one scheme may have set a new record for efficient exploitation: one web-based hack that infected as many as five million individual websites.
Over the weekend, Wayne Huang, a researcher at cybersecurity firm Armorize, detected what may be the largest-ever collection of sites invisibly attempting to download malware to users’ PCs, thanks to just one widget that was compromised by hackers. That widget–an embeddable survey called the “Small Business Success Index”–was injected with malicious code aimed at installing a variant of the Koobface worm.
According to Huang, that infected site element was automatically included on every ”parked” domain–default registered sites that haven’t been updated–created by popular hosting provider Network Solutions. And a search on Yahoo! for a few search strings listed only on those parked domains revealed the total size of the infection: as many as five million individual sites.
Huang and others at Armorize hand-checked about 200 of Network Solutions’ parked sites and found that every one carried the Small Business Success Index widget, along with the Koobface variant. “These are just parked domains, but this is a record for sure,” says Huang. “It’s definitely a new type of attack.”
Huang alerted Network Solutions to the problem over the weekend and the hosting provider has removed the widget on its parked domains. Many more pages hosting the widget may still be infected–the survey box could also be installed on other platforms including Google’s Blogger platform, Linkedin, Twitter and Facebook.
Here’s a video Huang made to demonstrate his findings. Though he describes a pop-up window impersonating Chinese chat software QQ, that element of the attack only applies to users based in Taiwan and China, where Huang himself is based. The Koobface download happens without a pop-up window. “You view the page and you’re infected,” Huang says. “No clicks whatsoever.”
This isn’t Armorize’s first warning about the malicious widget. The company found in May that Boingboing.com, a site typosquatting on a similar domain to the popular blog BoingBoing.net, was downloading malware to users’ machines. That means the Small Business Success hack has probably existed for several months at least.
Armorize says the Koobface malware he found monitors a user’s browser activity and what sites they search, sometimes loading pop-up ads based on their search terms. It also “phoned home” to a command-and-control server that would allow it to be updated for other purposes.
Huang hasn’t fully analyzed what software is targeted by the attack, though he says a test PC running Windows XP and Internet Explorer 6 was vulnerable. Uploading the malware to the antivirus analysis site VirusTotal showed that only 21 out of 42 antivirus vendors are capable of spotting the malware.
Though this attack has largely been contained, Huang warns that attacking hosting providers like Network Solutions may be an increasingly common trick to spray malware at a high volume of targets. “It’s a very efficient way to infect a very large number of domains,” says Huang. “This is definitely one of the biggest mass scale drive-by-download attacks that we’ve seen.”
Hi, I am with Network Solutions and want to assure you that we are working on this issue and have additional clarifications and updates at http://bit.ly/9g5qv4 Please note that this has NOT affected 5M sites as reported online. Our preliminary analysis is that the potential affected under construction web pages was less than 120k around the time of detection of the malware. Please visit http://bit.ly/9g5qv4 for frequent updates and a FAQ on the issue. –Susan Wade
ReplyDelete