A New Blend of Malware being divvied out on 55,000 Hacked Websites

A recent discovery by security researchers has identified a number of backdoor Trojans and password stealers are being spread by 55,000 websites.

A group of malware, including password stealer parasites and backdoor Trojans, was found to be spread onto several Windows systems from 55,000 websites, some legitimate domains, which may have been compromised by hackers. Malicious code or iFrame embedding was found to have effected tens of thousands of websites for the purpose of exploiting Windows systems that visit the hacked sites.

iFrames have been used many times in the past to inject malicious code onto unsuspecting computer user's systems after visiting an infected or compromised website. One of ScanSafe's security threat alert team members, Mary Landesman, was able to discover that the cybercriminals using the iFrame method have embedded a malicious iFrame into about 59,900 sites. This was found through running a Google search of the specific iFrame script tag. From the results, she was able to identify the script tag embedded on many legitimate sites which could have infected thousands of computers.

Many of the domains found to have this malicious code include latindiscover.com, morningsideassistedliving.com, sweetgrassvillagealf.com, foodsresourcebank.org, howellcarecenter.com and others.

Further examining on how this attack effects a users system who may have navigated to one of the compromised sites, it was found that the most common programs under attack are Adobe PDF, Adobe Flash, RealPlayer, QuickTime and WinZip.

It is not known how far this infection will spread and how many more sites will succumb to the hackers who are exploiting such an attack. Currently computer users are advised to apply any available security updates or patches to the Windows operating system. It is also highly suggested that users update all of the previously mentioned applications to ensure they are running the latest version which may help deflect this attack from the compromised sites.

  • http://www.wewatchyourwebsite.com Thomas J. Raef

    It appears from reviewing thousands of these sites, that most of them are using .asp or .aspx pages which are generally dynamically generated.

    This leads us to believe that this is probably a SQL injection attack as the dynamically generated pages probably derive their content, or a portion of it, from a back-end database.

    Some of the iframes injected are right in the middle of legitimate lines of html code furthering our theory of the SQL injection.

    That's just our opinion, we could be wrong.