Mass Injectors Still Burying the Needle

By Matthew Hines  |  Posted 2009-06-19 Print this article Print

Lest anyone should think that attacks like the Gumblar botnet redirection campaign are something of a rare bird, researchers are noting the use of similar "mass injection" propagation techniques in following waves of malware.

Experts at Sophos report that they've been following an entire "series" of such attacks in recent weeks. And oh yeah, Gumblar is still humming along leaving scads of users caught up in its seemingly ceaseless layers of drive-by redirection cycles.

One of the newer mass injection campaigns being tracked by Sophos and other reseachers is Nine-Ball, which experts at Check Point already estimate to reside on over 40,000 machines, is spreading quickly, Sophos said.

Another Trojan mass injector, Troj/Iframe-CB, is embedding itself into "large volumes" of legitimate URLs.

"As the detection name suggests, the script serves the purpose of writing an iframe to the page to redirect to a remote site. Taking a look at the iframe the script adds, the authors make some interesting use of CSS properties to hide it," Sophos researcher Fraser Howard said in a blog post.

"Rather than the normal tiny width/height and a display:none CSS attribute, they are now setting the opacity to 0," he said. "Presumably this is in an effort to evade detections that rely on the traditional hiding mechanisms."

Just as with Gumblar, most people being infected by the other injectors are being redirected through multiple URLs before being stuck with data-thieving malware.

The initial injector infections are frequently being delivered by infected files that take advantage of client-side vulnerabilities.

And just like Gumblar, the lesser-known injectors are also using poisoned search engine results, most recently including, to increase their reach exponentially further.

"Malware authors are clearly enjoying some success in hitting victims in this manner, so expect more of the same," said Howard.

Looks like the Web needs an intervention.

Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to |

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel