Fugitif
01.06.2009, 21:47
Websense Security Labs™ Threatseeker™ Network has detected that a large compromise of legitimate Web sites is currently taking place around the globe. Thousands of legitimate Web sites have been discovered to be injected with malicious Javascript, obfuscated code that leads to an active exploit site. The active exploit site uses a name similar to the legitimate Google Analytics domain (google-analytics.com), which provides statistical services to Web sites.
This mass injection attack does not seem related to Gumblar. The location of the injection, as well as the decoded code itself, seem to indicate a new, unrelated, mass injection campaign.
Screeenshot of injected code in an injected site:
http://securitylabs.websense.com/content/Assets/AlertMedia/DUH-rename-IT-OK-ObfuscatedCode.jpg
The exploit site is laden with various attacks. After successful exploitation, a malicious file is run on the exploited computer. The executed malware file has a very low AV detection rate.
Source:
http://securitylabs.websense.com/content/Alerts/3405.aspx
This mass injection attack does not seem related to Gumblar. The location of the injection, as well as the decoded code itself, seem to indicate a new, unrelated, mass injection campaign.
Screeenshot of injected code in an injected site:
http://securitylabs.websense.com/content/Assets/AlertMedia/DUH-rename-IT-OK-ObfuscatedCode.jpg
The exploit site is laden with various attacks. After successful exploitation, a malicious file is run on the exploited computer. The executed malware file has a very low AV detection rate.
Source:
http://securitylabs.websense.com/content/Alerts/3405.aspx