Threat Management, Incident Response, Malware, Patch/Configuration Management, TDR, Vulnerability Management

Poorly implemented sites blamed for latest malware infection

Half a million websites have been infected with a new round of malware attack and poorly implemented website configurations have been blamed.

This latest round of malware, which targets open source phpBB applications, comes on the heels of last week's series of SQL injection attacks affecting more than 4,000 web pages based on Microsoft's ASP and .NET technologies.

"The bad guys' level of sophistication has grown to where they can now find websites that have been poorly implemented, and find them in automated ways," Paul Ferguson, network architect, Trend Micro, told SCMagazineUS.com on Tuesday.

The problem, said Ferguson, is that users are simply downloading readily available apps to add blogs, forums and other Web 2.0 technologies to their sites, and they are not following general security guidelines.

"So the bad guys can cast a wider net. They're exploiting vulnerabilities," he said.

Once loaded onto a PC, the malware redirects users to a site that asks them to download a codec for free porn.

"It's human nature that people fall for this," Ferguson said.

But the difference between this type of social engineering and previous attacks is that in the past, via an email, there was human intervention. In this latest generation, this exploit is automated and requires no human interaction, he said.

"What we've been seeing is a lot of attacks on websites and web servers," Roel Schouwenberg, senior anti-virus researcher at Kaspersky Lab, told SCMagazineUS.com on Wednesday.

And it's not just the traditional sites where malware sits and awaits its prey, like porn sites. High profile sites, like news sites, are now being targeted. Schouwenberg mentioned that the website of a German TV station was a victim recently.

"Users get infected when they go to their favorite sites now."

These attacks have mostly been SQL injection attacks, he added.

This particular phpBB infection chain is capable of keylogging and of scooping up login credentials. Ferguson said his team observed online service provider logins on Tuesday morning.

"What the end-game is is unknown," Ferguson said. But the follow-on effect could be widespread.

"Once a PC is infected it is under the control of someone other than the owner," he said.

These attacks are always driven by a financial motive, he added.

Schouwenberg explained that the phpBB is DNS changer malware, where the user needs to manually install a codec. That script changes the DNS server settings on the local machine to re-route information. "This can then be used for phishing or click fraud," he said.

"We've seen what we believe to be some of the same players we've seen before," Ferguson said. "They're using some of the same IP addresses in this multi-tiered infection chain."

And, though the trail is long and obfuscated, he and his team detected a server in China that is routing to servers in the United States.

It has to be a criminal gang behind the attacks, Ferguson said.

"The attacks are too big, too well organized and too well planned to be the work of a single individual," he said.

And, this new phpBB attack shows that the criminals are more adept, he said. He expects their capabilities to only become more frequent with a broader reach.

As far as a solution, users should follow traditional best practices, Ferguson said. It's vital to have the latest patches for software and the operating system.

And this doesn't just mean monthly updates from Microsoft, he added. It means keeping third-party software up to date as well.

"It's an ongoing effort to keep desktops patched properly."

Ferguson also advised that anti-virus and anti-spam be kept up to date.

"It also helps to run reputation services or URL blocking, which can block known malicious URLs," he said.

Schouwenberg added that this attack is also targeting Mac users. But he has the same advice: "Running anti-virus software is a good idea. And make sure all software on the server is up to date."

But even diligence may not be enough. While individual users enforce security precautions -- keeping all their software up to date, coding their websites securely and running anti-virus programs -- another attack vector lies with the web host. A malware attack on one site can spread to another site being hosted on the same server.

"The hosters must invest time and money to do all they can to obviate software," said Schouwenberg, "but the problem is complex."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.