Free Newsletter
Register for our Free Newsletters
Newsletter
Zones
Access Control
LeftNav
Alarms
LeftNav
Biometrics
LeftNav
Detection
LeftNav
Deutsche Zone (German Zone)
LeftNav
Education, Training and Professional Services
LeftNav
Government Programmes
LeftNav
Guarding, Equipment and Enforcement
LeftNav
Industrial Computing Security
LeftNav
IT Security
LeftNav
Physical Security
LeftNav
Surveillance
LeftNav
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
 
News

JavaScript attack switches domains

Forcepoint : 23 April, 2008  (Technical Article)
Tracking of malicious code by Websense reveals new domain from which JavaScript attacks originate.
Websense Security Labs has been tracking a recent development of the malicious JavaScript injection that compromised thousands of domains at the start of this month, just 2-3 weeks ago. The attackers have now switched over to a new domain as their hub for hosting the malicious payload in this attack. We have no doubt that the two attacks are related as our brief analysis in our blog will detail. In the last few hours we have seen the number of compromised sites increase by a factor of ten.

This mass injection is remarkably similar to the attack we saw earlier this month. When a user browses to a compromised site, the injected JavaScript loads a file named 1.js which is hosted on the nihao domain. The JavaScript code then redirects the user to 1.htm (also hosted on the same server). Once loaded, the file attempts 8 different exploits (the attack last April utilised 12). The exploits target Microsoft applications, specifically browsers not patched against the VML exploit MS07-004 as well as other applications. Ominously files named McAfee.htm and Yahoo.php are also called by 1.htm but are no longer active at the time of writing.

There are further similarities too between the two mass attacks. Resident on the latest malicious domain is a tool used in the execution of the attack. An analysis of that tool can be found in the ISC diary entry here. Mentioned in that diary entry is 2117[removed].net. Our blog on that attack can be found here. It appears that same tool was used to orchestrate this attack too.

The number of sites affected is in the hundreds of thousands. Casualties of the previous attack include various US news web sites, a major Israeli shopping portal, and numerous travel sites.

Websense security customers are protected from this attack.
Bookmark and Share
 
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
 
   © 2012 ProSecurityZone.com
Netgains Logo