| Home |  | Security Center | | MCRC Blog | | 2009 |
Malicious Code Research (MCRC) Blog - 2009
Governmental, Healthcare, and Top Business Websites have fallen victims to the new round of Asprox mass attack
As covered in my previous post a new round of mass Web attacks has started during May 2008. Hackers successfully compromised a large number of government and top businesses websites worldwide to infect visitors with malware. The attack toolkit being used (which is aliased as “Asprox”) has been around for few years; however, during the last year we have noticed a rise in the number of attacks using it. The attack toolkits is designed to first search Google for webpages with the file extension [.asp] and then launch SQL injection attacks to append a reference to the malware file using the SCRIPT tag.
During the first two weeks of July 2008, Finjan’s SecureBrowsing in-the-cloud system detected over 1,000 unique Website domains that were compromised by this attack. Each of the compromised domains included a reference to a malware that was served by over 160 different domains across the Internet. Since the list of these malware serving domains increases every day, we believe this is just the tip of the iceberg for the scope and impact of this attack.
Among the compromised websites we found were those of respectable organizations, governmental institutes, healthcare organizations as well as high-ranked websites. The table below shows the distribution by compromised website categories:
|
Category |
Distribution |
|
Shopping/Life Style |
15% |
|
Computing and Internet |
15% |
|
Government |
13% |
|
Health Care |
12% |
|
Advertisement |
13% |
|
Other |
32% |
Our research indicates that the malicious code is still being served by most of the websites and the toolkit described above is still in use at July 15, 2008.
Among the many websites that were compromised, we also found various advertisement networks that were also used to direct users to compromised advertisements. One of the advertisement networks that we found was atdmt.com, which Microsoft plans to acquire as part of Microsoft’s Advertiser and Publisher Solutions Group.
Below are a few examples of compromised legitimate websites:
Compromised Government websites:
- marysville.ca.us, the official website of the City of Marysville, registered by Marysville Police Department.
- www.censocultural.ba.gov.br , the official website of the cultural data bank of the Department of Culture and Tourism of the State of Bahia, Brazil.
- www.sfgov.org , official website of the government of the City and County of San Francisco (The website no longer serves the malicious code; the below screen was captured from Yahoo cache).
Compromised healthcare websites:
- nhs.uk, the official website of the National Health Service in the UK (The website no longer serves the malicious code as for July 17, 2008)
- samedical.org, the official website of the South African Medical Association (The website no longer serves the malicious code as for July 13, 2008)
Other legitimate websites that were compromised:
- Cocacolabrazil.com (The website no longer serves the malicious code as for July 17, 2008)
- Snapple.com, one of the largest soft drink makers in the US (The website no longer serves the malicious code as for July 24, 2008)
- uci.edu, official website of the University of California (The website no longer serves the malicious code as for July 24, 2008)
- The Baltimore Times (The website no longer serves the malicious code as for July 13, 2008)
- BMW official site in Mexico (The website no longer serves the malicious code as for July 17, 2008)
- and others
Attack Vector Analysis:
As mentioned earlier, the attack toolkit is designed to inject a <script> tag into legitimate [.asp] webpages. The injected script consists of the following JavaScript code:
Each of the 160 different domains hosting [b.js] and [ngg.js] [fgg.js] points to the location of the malicious file which was unique to each and every one of them.
The pointed iframe loads an obfuscated JavaScript code which then downloads and executes the malware on the victim machine automatically. The exploit provided by writers of the new version of NeoSploit toolkit, which uses a refreshing code for the obfuscation (using the location of the page as part of the obfuscation function).
The malicious code of the above script exploits several vulnerabilities on the victim’s machine in order to heighten the chances for successful exploitation:
- MDAC Vulnerability
- QuickTime rtsp Vulnerability
- AOL SuperBuddy ActiveX Control Code Execution Vulnerability
Upon successful exploitation, a Trojan is downloaded and executed on the victim’s machine.
For other interesting findings related to the Asprox attack you are welcome to visit my previous post of Short research of “in-the-cloud-service” and “unknown malware samples” which discuss in details how signature based application responding to the new round of Asprox mass attack.
Posted by Ayelet Heyman
