"Nine-Ball" mass injection attack compromised 40,000 sites
The attack is called “Nine-Ball” because of the name of the final, malicious landing page, which is loaded with drive-by exploits, that unsuspecting users automatically are redirected to if they visit one of the compromised sites.
Ninetoraq.in, the exploit site, contains malicious code that looks for already patched vulnerabilities in Acrobat Reader, QuickTime, Microsoft Data Access Components (MDAC) and AOL SuperBuddy, which it then attempts to exploit, Stephan Chenette, manager of security research at Websense, told SCMagazineUS.com on Wednesday.
The flaws have all been patched; some date back to 2006, Chenette said. But, the Reader and QuickTime vulnerabilities are newer, making it less likely that users are patched for them. If the malicious code finds an unpatched vulnerability to exploit, it either drops a malicious PDF file or a trojan designed to steal user information, Chanette said.
All of the exploits currently have low detection rates, he added.
The 40,000 legit but compromised websites were “sleeping” up until Monday, Chanette said. Before then, if a user visited one of them, they were redirected to Ask.com. On Monday, though, the attack updated and users started being redirected to the ninetoraq malicious site.
Currently, users who visit one of the compromised sites are first sent through a chain of redirections before landing on the final exploit site ninetoraq. Though users simply see the normal content on the infected page, the redirections would occur in the background without their knowledge -- so a user would not see that they are on the ninetoraq site. By sending users through numerous redirections, it makes the job of tracking the attackers more difficult, Chanette said.
During the redirections, a visitor's IP address is recorded. If the IP address is determined to be new, the user is directed to the exploit payload site. But if the user's IP address has already been recorded, they are directed from the compromised site to the benign site Ask.com -- which they would see happen, Chanette said.
The reason attackers have included this feature could be to evade security companies who are probing the infected sites and attempting to analyze the attack -- one might assume the attack no longer works, because they are being directed to a benign site.
Websense researchers determined that the compromised sites are not running a common piece of software, which means the sites have been injected with malicious code via stolen credentials that have been previously obtained.
Getting rid of the problem requires multiple steps, Chanette said. Website owners must look at their site's source code for obfuscated or scrambled code. Then they need to change the credentials to all accounts that can access that website.
Chanette said that none of the 40,000 infected sites for this particular attack are well-known brands.
“Attackers are going after quantity and not quality,” Chanette said. “If they go after big name websites, they are shut down faster.”
Over the past several months, there have been similar mass-injection attack waves like this every few weeks, Neil Daswani, co-founders of web anti-malware vendor Dasient, told SCMagazineUS.com Wednesday.
A similar threat, called Gumblar, made headlines recently for compromising approximately 60,000 legitimate websites. In addition, another mass-injection attack, Beladen, was said to have infected 40,000 websites.
Daswani said that in the past two years there has been a 600 percent increase in the number of trusted websites being used as malware distribution points. Compromised websites face a number of consequences, including being blacklisted by search engines, which typically causes a significant drop in traffic.
“Once they clean up, the challenge is to try and get back traffic,” Daswani said. “From businesses we have spoken to, once they clean up, it's very hard to get back to [the former] traffic level because there's a loss of consumer confidence.”