A Web attack that compromises vulnerable Web pages and installs a snippet of code to redirect visitors to a malicious site in China continued to spread this week, according to security experts.
The attack, which started at the end of December and was first mentioned on Chinese sites, infects Web sites running Microsoft's Internet Information Server Web software and MS SQL database software, according to the Internet Storm Center, a network-monitoring group run by the SANS Institute. Compromised sites are seeded with
While the attack is "massive and ugly," according to independent security researcher Dancho Danchev, it has also been very successful. The number of Web pages apparently affected by the attack has continued to rise over the past week. A Google search for parts of the
iframe code currently returns nearly 100,000 pages for each domain. While Google search results are not an accurate way to measure the spread of malicious software, they can be a good indicator of the trend of an attack.
Given the success in seeding the redirection code on legitimate Web servers, the use of an old RealPlayer exploit in the attack puzzled some security experts.
"It is weird," said Roger Thompson, chief research officer for antivirus maker AVG. "I think the simplest explanation is is that they found a really good server side exploit, but didn't think the rest of the attack through."
The attack appears, in many ways, similar to last year's compromises that, among other victims, hit the Web site of Super Bowl venue Dolphin Stadium, adding an
iframe redirect to sites hosting malicious code. This year, security firm Computer Associates was reportedly among the victims.
Both domains used in the attack are only a few weeks old. The uc8010.com domain was registered on December 28, and the ucmal.com domain was registered on Deceember 21, according to the Whois database.
If you have tips or insights on this topic, please contact SecurityFocus.
Posted by: Robert Lemos