Huge Volumes, Big-Time Sites Hacked via Asprox Attacks

By Matthew Hines  |  Posted 2008-07-16 Print this article Print

According to a new report published by experts at security filtering specialist Finjan, the company observed more than 1,000 unique Web site domains serving up the well-publicized Asprox malware attack over the first two weeks of July 2008 alone, including many URLs belonging to some of the world's most recognizable businesses and institutions.

Among the legitimate sites that the company noted in its research as being owned by Asprox were the official URLs of the National Health Service in the United Kingdom, the official Web site of the University of California and

And adding to the ongoing technology headaches being experienced by the city of San Francisco, part of the city's official site has also been swept up in the Asprox torrent.

In a blog posted to the Finjan Web site, researcher Ayelet Heyman noted that despite the fact that Asprox (named for the malware tool kit used to create variants of the code) has been in the public domain for several years, tons of URLs are still being successfully subverted by the threat.

"Each of the compromised domains included a reference to a malware that was served by over 160 different domains across the Internet. Since the list of these malware serving domains increases every day, we believe this is just the tip of the iceberg for the scope and impact of this attack," Heyman observed.

And clearly it's not just mom-and-pop sites that are being compromised by Asprox-based attacks. According to Finjan's research, pages currently loaded with the code include those controlled by scads of well-known e-commerce vendors, computing sites and government agencies.

Popular online advertising distribution networks are also being utilized to spread the attacks, Heyman said. One of the advertisement networks that the company monitored in the Asprox ecosystem was, which Microsoft has moved to acquire.

According to the Finjan advisory, each of the 160 different domains hosting the code that is Asprox points to the location of a malicious file that is unique to each and every one of the hacked sites.

"The pointed iframe loads an obfuscated JavaScript code which then downloads and executes the malware on the victim machine automatically. The exploit provided by writers of the new version of NeoSploit toolkit, which uses a refreshing code for the obfuscation (using the location of the page as part of the obfuscation function)," Heyman said.

Upon successful exploitation, a Trojan is downloaded and executed onto an affected victim's machine.

So much for being able to trust the sites of major entities more than their mom-and-pop brethren!

Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWEEK and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to |

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel