By Dan Goodin
Posted in Security, 30th May 2009 00:21 GMT
A nasty infection that attempts to install a potent malware cocktail on the machines of end users has spread to about 30,000 websites run by businesses, government agencies and other organizations, researchers warned Friday.
The malicious payload silently redirects visitors of infected sites to servers that analyze the end-user PC. Based on the results, it attempts to exploit one or more of about 10 different unpatched vulnerabilities on the visitor's machine. If none exist, the webserver delivers a popup window that claims the PC is infected in an attempt to trick the person into installing rogue anti-virus software.
"For the common user, it's going to be possible but difficult to determine what the code is doing or if it's indeed malicious," Chenette told The Register. "We can see this quickly growing."
The researchers have also noticed that the code, once it's deobfuscated, points to web addresses that are misspellings of legitimate Google Analytics domains that many sites use to track visitor statistics. The RBN, or Russian Business Network, has used similar tactics in the past, and Websense is now working to determine whether those responsible for this latest attack have ties to that criminal outfit.
"It could be that the RBN is related, or more likely because that code was publicized, the attackers are acting in a very smart fashion to duplicate methods of old attacks to hide their tracks," Chenette explained.
Websense, which scans millions of websites each hour, has issued a preliminary advisory here. It plans to issue additional details on Monday. ®