Network Security & Hardware - eWeek


Battery 500 Project Charged Up over All-Electric Cars
Charting the Final Frontier--Google Maps for Indoors
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Hackers Hit 40,000 Websites with Mass Compromise



 By: Brian Prince
2009-06-01
Article Rating:starstarstarstarstar / 5


There are 9 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
Hackers have compromised about 40,000 legitimate Websites, infecting them with malicious JavaScript that ultimately redirects users to a malicious site, says Websense. Security researchers at Websense say the tactics are reminiscent of the notorious RBN group.

Researchers at Websense are reporting a mass compromise that may have affected as many as 40,000 Websites.

Although Websense would not name any of the compromised sites, researchers said the victims did not include any "big-name government or business sites." The compromised sites are redirecting users to typo-squatted misspellings of legitimate Google Analytics domains. From there, users are redirected to the malicious Beladen.net site. 

"The Google Analytics site serves as a statistics keeper, and the Beladen site is used to host the exploits," said Stephan Chenette, manager of security research for Websense Security Labs. "It analyzes the end-user PC and attempts to exploit several different unpatched vulnerabilities If none of the unpatched vulnerabilities exist, it delivers a popup claiming that the PC is infected in an attempt to trick the user into installing rogue anti-virus software." 

Resource Library:

According to Websense, the Beladen site is stacked with multiple types of malwareas many as 15 to 20 different exploits targeting various vulnerabilities. 

Just how the legitimate Websites are being compromised is unclear, though Websense researchers speculate that it is a SQL injection issue. 

Click here to read about a software scam hitting Twitter.

"We haven't pieced together the common software or common application that all these Websites are running that allows this SQL injection to happen," Chenette said. "They're either running some kind of business application that they have in common or these [FTP] accounts were compromised and that's how attackers are able to inject code into these Websites." 

"RBN (Russian Business Network) actually used this exact same domain," he continued. "So the patterns that they are using in terms of the domain name and the exploits that they are using are very indicative that the group responsible behind this might be either connected with RBN, might be RBN themselves or might be a copycat group that is using some of the resources that RBN used." 





  Reader Comments: Hackers Hit 40,000 Web Sites With Mass Compromise
>>> Post your comment now!
My home page keeps getting injected
with this code so I googled it and then added the word hackers and thankfully found this webpage...I am getting hit 3 times or more a week, so I...
Posted At: 06-10-09
By: Wendy
Seeking Info
How quickly will Websense share the 40k website list for browser/3rd-party URL blocking? Can long blocking lists be supported in browsers without...
Posted At: 06-05-09
By: Tony
re:
Hey Daryl. Here is an updated entry from Websense with more information on the exploit code. ...
Posted At: 06-03-09
By: Anonymous
A user comment on this article
34 viruses were dumped onto my computer in two minutes. They threw the kitchen sink at me.
Posted At: 06-03-09
By: Johnson
Bad timing
My computer cost $200 to get the viruses off received from one of those lovely 40,000 compromised websites.
Posted At: 06-03-09
By: Johnson
Exploits
Do we know what exploits were used?
Posted At: 06-03-09
By: Daryl
Hacker Recipient
My computer was compromised Sunday moring at 7:00 CDT when I went looking for Sue Boyle I DReam a Dream Lyrics. When I downloaded the lyrics the crap...
Posted At: 06-03-09
By: Zboss
>>> Post your comment now!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Brian Prince
 


x}ks6*Q3{L=RJ64ԭRQ$$1H-IV8_N?qd{&s6Fh4#spI"WnZΘt\snSr8úO >X?$88w>G &(ɑԫ1m3HnwݶN=gP'^> \q?g3Q;Y|&E%k4ًʏшqGOПad^y4;U'i3[_Sա*v25v+n /@Z#\DȁY{4ɿTݱm6{ -XdUZL bC6S!1k%Tը>lY}D|ݑ|Y#Xo:QA3MuL_C?)$fʀ ;8#/6<{m xZjkMNR=1,g fV҈ 'UUjH,i\~1ۛvEvL,/!R42V,]?#ˠzqwq~rq׾>E>Z=$O#t: +?;V'_ZU!&󁭡^HN™,?.+`HBi۲ܺΑ\ y[ a(7f`XӀ7? eR2\ML9X@.@ש#04ǯiVj5V8z[PĿ E/<@'L[P3Z$923=Pru&Sk~$M ]sb.L2o<|)#m̗U/d`(AK/g 5v:]R$y3DDȃ g/3/r.i }h8yWҽT7ws iغT49;N߇]/7+De,Ⱥ s5-wizˬ;\gܸh5n[wӽuS5߷@*)5>'4d}t>჎(>hƋCri\ZnL,rӇu4A.~Gݣn]?'tnYXŞ*LRVi50C-m| &>v\l8d ((syt{P&zJCˋF` V<2/?>fxs݀ܧP}-{`sDoeC97(O3x?k1 \tB,Â?9fh琉HDOAЌ7_A}xDF6}^82@&{l6g{A3uNP"'Կ ;77u9\T=]҇9 UQR })/Sp>!_Nw\Գ&AB glCC{١[[3T)w^IY䞅T_9YX XO`q ,Rd0q6NI SXh8ECW4jM;24E֊f[{ց$lJ#ʴ.Z*![q5o|a׼1F]RZJKPDlPc/X kezdEM*&7 kSkdQ6qo?`R5JȄmloՒhMb1v ʸnJirif>u>MKϵ("?GnLOl3p9H!%6D;~s sOЭ,pZU501@/ŵAb=[:P]%,Y^XVꚲ+]75e"AY#&:=4̄+ud'T-{ =}6:y֚o'rI)jEclq-Z ;rm} szA8l1D:3`_npa Z*"~~~049 J?}xN`/rW["LJ}wYвJzu6$T.(J9A)` N 2&|h<CH&,\$ WDrAa \+c//'7].K i?aE"%1ڣs!a*7+ \;gjZ(T+1:ʪZJ:_V2{VN0aE>yLLF<|˰"Uzo }BZ_(ƨOMqѡ,` tV8V?<@? v:"lhCxR &`j@$p LM{1jNvg `\w~m;" A_ tc{~O]SK[JI) `uVEZ)~)HǞ1}]ܙe>tgc:6Ϥ7pOUUQS^F<:H93$_@hOXM ] 7Ṩf6}b;_*|980xX=h8pM\&eM=J1z7xIn6J墦AkR;@+a#ұLƈQ@Z:"GYdQ.|eR)*`7$ʠK= j ;! ]DZu|V n&<1wOXO\dK!M$DDOCVjgX&1W+ʬƼ d@48'o;7OZU9|{?" }M pفd#?J_ݵǤ}u_hvW ut{~{}LDм'~ُR +Kx4W}}1)X\jw[b8K}LAIP 4t=!!}ׇ7{9EM}^цϮZ0BN@ɁvnG4o߷ŗtϺW[~J\[R1~FdG My~}u8)DUy~|ly0aF 'Lkd34ga@ ձto[X0z)ӱB ZMUc | ڠl'< yy~N¯nUk~ % I+U:=<  cJ=!o8oni9$C; `M/ԩ #ADrElFzRFijYɉ/aINa1:}Vt"ڿPυb~C<B<dxD B٠{pңXJ긍vy#^a~:)}AOW-9˝~BҴ(o m"tSݏ[Իc2L:&r֚S%[@c{OӎO\eax!ul8q%՝b"f8BٹGO ,,mSs$S)y#ϔ m$IjSfkC@$ğ_2 Iv(+6HtdAz7jӚ}g .iw6D2F=`l)JZa"A|)J| >k^@ Rq{4%Blb%%hҫoeW!؉\lj9l0`&01̫|1{~U*۞N #H1?g'q?8Hȸt2Ti 'sXsw{ѺB ?݁C5@w5FO.Ս A/sk@לO)|sE1i^[y b@c$H~ `@GL|5zÿ|§ ' rkgtGo;vm,da3/÷qP:|{; ?--8t砞CTω$ɘNBAWU-u+ln(jY9sJuOVrѩc+N Qd1ӷP2]:pOʤsc}d<ݸw[f1rpeoO>Q!#]bwQ=\zŞYiIu9.s\-"ngZZ⽸|W90.=y$/An} lD!=<:D`D:*pctOycZ~‡i4&K-h<]79wBf#AVާA342UCnMk=Ǭ ,giƿ_;QND7|} zx|Wv; /1g&(#ڟ? w 9U1)%ŗ`PBH|pN7̼V&Q~2*wCOƥ,0eROӽQ^''\/_ }ta& <.wV0F7^v S˧%O_ө ֶ8j Yrh(UjA1;T┐O6&mSgLI9z,'pD_xW*كZZ2j Ͻww>9wm8g񜷾EUjjY'0LtB.Gȝ#lŠYl  S1a^"'wr%e?\By Sb6FIAbrK{ mT&"r<vRl1ud!sN Hˢ(.7-  }dU;ݗ:x;.vtǢ>̝ۦԦϹQ3CSD|٥{_ o?k\imtnOY'ȃߢJ >TէB!}#)5D@+xgj˵VaMN3ݶ+&⫽MH6ŗ@rO|k nNl"uޘx׫Bc.ka$$;1 5㵙$#{{wi3e`W۱:ư>/}=}6 dUokot%۬R{2ײwbr,ɹ3؆_ ƗY'6d [IHgs;wP;EX2̭-9ddn`Ô*V:_$gx=XUNpp]pmZtG|O_/U/ }Ps0unؕժTjQܣF +r`m [\a8ms0/'}\rYģ֞=H7b"-w.CgHm'nl@Y,7t:w`>l&~UZ TJ v'&3Bs^9~ȋ:Zjb;X"%\|fV-j%NG4K,2{6 r6 @Rwt1'c0sތjg~R߉MX{0adDx'jO5sSrKu t1YzUh9]fixw4,ɧ+S1|Q*J@(fYir' o.gUo;7p+P~ҪۓV7nAkb^<ҁA+qܒ:e4{6Ŭ> / '}& )<]СrHJoIgo%8>|6ژyiF$YcM ǯ\Ix##k3`vH*+_!ݰVI m{7R[ $y?ZƮEH& qujl_]n{aC_s eޛNc xGg;5&g>a:$.+JAW)Fj(wGy?b.ca7~ K!W馾!sSy-r)GpN{޺ԔFI#'0ឩըS1,1)kM(qik8<4>|?zEu`nOKZ‚ 5" Ya&1F$hD1fHǼiĄ9GOELn1rKT-B@a=Q#3( 9l~}W@tR"tQ.( $H_(YP[,(ϏB5D*%n67Xp_wLi0q>0"(S[]ă04]IPO:(pjU,ywF7`C'[E9Y|ob{` ?0غP\ݹk4on>-iV>n7vwx ZӷptԽs=tֽtѾnܶƅ&hT㟳+}mP<eJf9ũOx .B*r4,xWU^>MZga_mE_CĨg~4A9o߶z=-gG>;yQ5#g!uԦF p7@Q`1D GM& OG3?f_BeFߠo(d^g5u\]g_O7CtAt3 M}7fO诟A@?6A_cV9c>>fʁ~2ڿh.N273y S*ӌRqA/2ȋ+OY射(Ay<++PA/nt3 ؛ < 3_2 ̭L_7gBX\jzr+W^eo4v+iAư[/6^c/K^浽I<&xE'W4<< X1rnmEM++J9wWrHi3#""CHITMVYI2ZYr(RB4|O״W)Y7tSsc<{+4аY-}"z%~@-x1"/c@6of)3^ ^"_v&ic(<)R1K1@eA*u1*f>d%Q< r9m|LڸAÆ^Vٍv"n<4wz:eo:4ǽaƹrV4@8[h xqn9SYF sLgdHτ[6пc͂S%(MLp0-7X8Df[=Nؒ1"QSRۨWUɑv"9/zchd9Ck+S͘P/I;߹{Nz:G ?ZgHoK 5$Id`Կsg=C{9L9 H\}T.q " 2HH 2s{F|%M+ߝswQH墲;}MA~ł霰)#,|HTP}HOm:Zd \w/`͛G4 (Q"3q}(!1} /2ۓ2~=GIj_7 BF3q2 Y8;T"?s@mw9= S%JMޱ J]"1> ^_dvO~%B+/j-sD?>K:![S1Q9jkI/?kwI3v+N%%}YQ v.yH#eUI;.~=O^T~7)V\w|7(6؋LwO ,A_P6vƾL3VA>X]XW>~/{vcS)fG^Fp)hN<}y?ۢ u+ ğoqml.; +CO1ުTWU|>cx g4}wo/cHPVFׁݝV /X| 8lO.hz|}ρ XsCQ%w` =[u6(NAeRb0 yM&Q~0qGĮ2C|R4OUpvRcdLwqgS@NEq˫Py-v6sNAxm=еhOɬQl>- /#]^F6k8~m=eu{/Urcdk{f:ePeX&]f/_X (K#LwC.psh݆G[Hx{ [ qy6` <Щ1Dm.vQeNܔMF:¾u4moeщ&߉nKQa__-O)h<˜4W6AĶqytcqږ0#ŸEr,ɀ'jVf<.^KƠ{e75HR#z3L呋dS1C7@j0\|H d[\O^مu&3k%/YH~>  fr*r*]xWI"cXM?X :T+ƕyOXqө8Yo?]V.:[_,{ݗ.էcRI>Rv2<~vk .3JbQ'.k_u1XںqKOg~>Š6҂%!to[i B"Ew