A mass injection attack similar, but unrelated, to Gumblar has infected more than 40,000 websites, according to new research from Websense Security Labs.
Thousands of websites are now redirecting unsuspecting users to an exploit site called Beladen, which by means of drive-by download is serving up a trojan downloader to users running older browser versions, and pop-up ads promoting rogue anti-virus for those who are patched, Stephan Chenette, manager of security research at Websense told SCMagazineUS.com on Monday.
“Beladen in German means ‘loaded,’ which is a suitable name because Beladen is loaded with exploits,” Chanette said.
The Beladen.net domain isn’t new – it’s been around since last June, Mary Landesman, senior security researcher at ScanSafe, told SCMagazineUS.com on Monday. Chanette said that while Beladen.net has been flagged by the security community as malicious for quite some time, but its only recently that Beladen.net became involved as the final landing page in this massive injection attack. Landesman added that Beladen is an example of a larger trend: the mass-compromise of legitimate websites, which was illustrated recently with the huge uptick in Gumblar infections.
As a result of the malicious code, when a user visits one of these compromised sites they are redirected twice — first to a website that logs statistical information for the attacker, and then to the Beladen site where the malware is served. These redirections occur within milliseconds of each other, Chanette said.
Once at the Beladen site, if the user is not running the latest version of Firefox or Internet Explorer, their machine would be compromised by the drive-by-download, which does not require any user interaction, Chanette said. If the user is running an up-to-date browser, they will be served pop-up ads prompting them to download rogue anti-virus software.
This exploit is similar to Gumblar in that it’s an example of a mass-injection attack. However, the exploits being used and domains involved are different from Gumblar, leading researchers at Websense to believe these two attacks are unrelated, Chanette said.
ScanSafe’s Landesman agreed, noting that Beladen is a smaller scale attack than Gumblar. During the month of May, Gumblar accounted for 37 percent of all web malware blocks made by ScanSafe, whereas Beladen only accounted for .03 percent, Landesman said.
“Like most of these long-living attack domains they will go silent for a while, and will crop back up,” Landesman said.
But, Landesman added that the overall problem of mass injection attacks is significant, with close to 1,000 unique attacks every two weeks.
“Beladen is one of 1,000,” she said.
Chanette said that the Russian Business Network (RBN) might be responsible for this attack because the first site that users are redirected to, which logs statistical information for the attacker, was formerly owned by the RBN. It’s a typo squatting site which uses a name similar to the legitimate Google Analytics domain (http://www.google-analystics.com), which provides statistic services for websites.
“The Beladen mass injection attack is very indicative that the RBN might be back at work, which would be huge news for the security community since we thought at one point that they had disappeared from the malicious scene,” Chanette said.