Saturday, 12 January 2008

Mysterious mass website compromise spreads malware

Source: The Register

A sophisticated mass-compromise of websites ("hundreds") is posing both a serious threat and an inscrutable puzzle at this time. Unlike other mass compromises, there is no recognisable common technology through which the sites may have been breached, and the associated hostile Javascript is stored on the site itself rather than at a third party site. The incident includes a sophisticated technique to make searching for compromised sites difficult. The associated malware installs a backdoor on vulnerable systems, and is quite stealthy about it.


The Famous Brett Watson said...

If I were to hazard a guess, I would suggest that the site administrators have divulged their authentication credentials to the attackers, probably through computers infected with keyloggers or similar. The scale of the attack is not so large that manual intervention is ruled out.

The Famous Brett Watson said...

According to ScanSafe, "The attacks are not compromised sites, but rather what we suspect to be the result of a Loadable Kernel Module (LKM) backdoor, i.e. a rootkit-enabled backdoor planted on the host server."

The Famous Brett Watson said...

An updated article at The Register now revises the number of infected sites up into the ten thousand range. It also backs off the LKM theory, suggesting a compromised Apache module instead. There are still no solid theories as to how the necessary access was gained in the first place.