"Beladen" website compromises cropping up

Share this article:
A mass injection attack similar, but unrelated, to Gumblar has infected more than 40,000 websites, according to new research from Websense Security Labs.

Thousands of websites are now redirecting unsuspecting users to an exploit site called Beladen, which by means of drive-by download is serving up a trojan downloader to users running older browser versions, and pop-up ads promoting rogue anti-virus for those who are patched, Stephan Chenette, manager of security research at Websense told SCMagazineUS.com on Monday.

“Beladen in German means ‘loaded,' which is a suitable name because Beladen is loaded with exploits,” Chanette said.

The Beladen.net domain isn't new  – it's been around since last June, Mary Landesman, senior security researcher at ScanSafe, told SCMagazineUS.com on Monday. Chanette said that while Beladen.net has been flagged by the security community as malicious for quite some time, but its only recently that Beladen.net became involved as the final landing page in this massive injection attack. Landesman added that Beladen is an example of a larger trend: the mass-compromise of legitimate websites, which was illustrated recently with the huge uptick in Gumblar infections.

Those behind this new attack are sweeping the web looking for vulnerable websites -- and as of Monday have compromised about 40,000, Chanette said. He added that Websense is still analyzing this threat and it's still unclear what the common vulnerability is, but attackers have found a hole in these websites which has enabled them to inject malicious obfuscated, or scrambled, JavaScript code, Chanette said. The vulnerability is most likely present in some type of content management system, forum or blogging software, or some underlying web framework on which the websites are built, Chanette added.

As a result of the malicious code, when a user visits one of these compromised sites they are redirected twice -- first to a website that logs statistical information for the attacker, and then to the Beladen site where the malware is served. These redirections occur within milliseconds of each other, Chanette said.

Once at the Beladen site, if the user is not running the latest version of Firefox or Internet Explorer, their machine would be compromised by the drive-by-download, which does not require any user interaction, Chanette said. If the user is running an up-to-date browser, they will be served pop-up ads prompting them to download rogue anti-virus software.

This exploit is similar to Gumblar in that it's an example of a mass-injection attack. However, the exploits being used and domains involved are different from Gumblar, leading researchers at Websense to believe these two attacks are unrelated, Chanette said.

ScanSafe's Landesman agreed, noting that Beladen is a smaller scale attack than Gumblar. During the month of May, Gumblar accounted for 37 percent of all web malware blocks made by ScanSafe, whereas Beladen only accounted for .03 percent, Landesman said.

“Like most of these long-living attack domains they will go silent for a while, and will crop back up,” Landesman said.

But, Landesman added that the overall problem of mass injection attacks is significant, with close to 1,000 unique attacks every two weeks.

"Beladen is one of 1,000," she said.

Chanette said that the Russian Business Network (RBN) might be responsible for this attack because the first site that users are redirected to, which logs statistical information for the attacker, was formerly owned by the RBN. It's a typo squatting site which uses a name similar to the legitimate Google Analytics domain (http://www.google-analystics.com), which provides statistic services for websites.

“The Beladen mass injection attack is very indicative that the RBN might be back at work, which would be huge news for the security community since we thought at one point that they had disappeared from the malicious scene,” Chanette said.
Share this article:
You must be a registered member of SC Magazine to post a comment.
close

Next Article in News

Sign up to our newsletters

More in News

Researchers observe more than a hundred connections to 'Backoff' sinkhole

Researchers with Kaspersky Lab were able to sinkhole two command-and-control servers used by certain Backoff point-of-sale malware samples.

Judge lifts stay but Microsoft won't hand over emails during appeal

A judge has lifted a suspension of a previous order compelling Microsoft to hand over customer emails stored on a server in Ireland.

Home Depot investigates possible payment card breach

Home Depot investigates possible payment card breach

Home Depot said on Tuesday that it is working with its banking partners and law enforcement to investigate a possible data breach.