Updated, Nov. 12 at 5:22 p.m. EST
The website of a heavily trafficked Indian newspaper is clean of malware, just days after hackers launched a nearly impossible-to-detect cross-site scripting attack that infected users’ machines with a variety of malware.
The Times of India‘s website was hammered with a Web 2.0-style attack in which the malware writers compromised several pages with malicious scripts. The scripts pointed to a remote site containing IFRAMEs, which pointed to two other malicious sites.
“That would start this automatic chain of exploit, and all of it was invisible to the user,” Mary Landesman, senior security researcher at ScanSafe, one of the first security firms to detect the attack, told SCMagazineUS.com today.
She said that at least two of the exploits took advantage of a Microsoft vulnerability, patched last year, involving Data Access Components. Mark Miller, director of security response for Microsoft, told SCMagazineUS.com today in an email that none of the software giant’s customers or partners have reported being affected by this attack.
But she is unsure of the origin of some nine other exploits that ScanSafe researchers identified in the attack, although it is likely they were created using the Metasploit Framework, an open-source framework for developing exploit code.
Infection began when a trojan was installed on the victim’s machine, Landesman said. That initiated the dropping of more than 430 unique files, including binaries, cookies, Flash and web files.
“This is sort of reminiscent of the adware sieges we saw a few months back,” she said. “Most of the malware we see tends to be much more surreptitious. Whoever these attackers were, I would have to characterize them as clumsy. While I said that the visitor to the site who may have been victimized may not have been aware of any downloads, certainly the performance on their system would have been impacted.”
The situation was exacerbated because traditional security solutions did little to deter the attacks.
“Detection of this was extremely low by anti-virus vendors,” Landesman said.
This is the second major website compromise to hit India in recent months. In September, the Bank of India website was disabled for four days after hackers embedded malware on its home page. Experts said the site was distributing 30 types of malware, which served as the payload for two types of previously patched Windows vulnerabilities.
The Times of India is an English-language site that has global reach. Alexa ranks the site as the world’s 481st most trafficked site.