Malware researchers have flagged a massive outbreak of JavaScript injection attacks that have compromised thousands of Web sites, including .gov sites in the United Kingdom.
This alert from Websense Security Labs explains:
“When a user browses to a compromised site, the injected JavaScript loads a file named 1.js which is hosted on http://www.nihao[removed].com. The JavaScript code then redirects the user to 1.htm (also hosted on the same server). Once loaded, the file attempts 8 different exploits (the attack last April utilised 12). The exploits target Microsoft applications, specifically browsers not patched against the VML exploit MS07-004 as well as other applications. Ominously files named McAfee.htm and Yahoo.php are also called by 1.htm but are no longer active at the time of writing.“
Working with officials at two anti-malware labs, I was able to confirm at least 20,000 infected sites, including a civil service recruitment site belonging to the UK government, a United Nations events site and several high-traffic tourism portals.
Websense says the latest JavaScript injection compromises are closely linked to a recent SQL injection mass attack described in this SANS ISC bulletin.