Researchers at Websense uncover a mass compromise of legitimate sites in an attack called Nine-Ball that is redirecting users to a malicious site hosting malware. The security compromise is the third to make the news in the past several weeks.
More than 40,000 legitimate Websites have been hit by an attack that is
redirecting users to a site laced with malware.
which officials at Websense
said they have been monitoring
since June 3, has been dubbed Nine-Ball after the malicious site it directs
"We are not releasing the names of the sites compromised," said
Stephan Chenette, manager of threat research at Websense. "We've attempted
to contact a subset of the compromised sites to let them know that they've been
infected ... No particular vertical was targeted."
The attack appears to be the end result of handiwork by a Trojan that swiped
FTP credentials from the site owners, Chenette said. Once they had the
credentials, the attackers inputted them to automated bots and obtained control
of content across thousands of sites.
When users visit one of those sites they are bounced around between a
series of different sites owned by the attacker until they are brought to the
final landing page containing the exploit code. Once there, the user is
subjected to drive-by attacks attempting to exploit various Microsoft, Adobe
Reader and QuickTime vulnerabilities. If successful, the user will be served a
Trojan dropper with a low
In a bit of ingenuity, in a bid to sniff out security researchers, the
compromised sites are set to check if they have been visited more than once by
the same IP address. If a visitor has been to the site more than once, he or
she will be directed to ask.com instead of to the attack site.
While Nine-Ball is the third
mass Website compromise
report to make headlines in recent weeks, Chenette
said it appears to be distinct from the others.
"The Nine-Ball mass compromise is not related to either Beladen
but like the previous mass compromises, many of the machines
owned by the attacker are located in the Ukraine,"
"At any given time, Websense Security Labs is tracking a handful of
mass compromises," he added.