Computer Emergency Response Team - Industrie Services et Tertiaire
Large website infections

Reference: CERT-IST/DG-2008.003
Version: 1.1
Version date: 17 January 2008

Vulnerability Classification
Risk:
high
Impact: Get access
Confidence: Vendor-acknowledged
Attack expertise: Beginner
Attack requirements: Remote (no account) over a standard service

System Information
Affected Platform(s):
  • Microsoft Windows systems
Affected Software(s):
  • NA
Impacted products

Description
Problem description:
Since last week we have been seeing an increase in the number of infected websites which in turn tries to infect the computers of users who visit them.

This trend makes currently dangerous to surf on the Internet with a poorly protected computer.
There is a high likelihood for such computer to be infected when visiting regular web sites (which have been victim of an attack) . That is why we are sending this"Potential Danger" message .

Note:
  • The browser attacks that we have seen target Windows computers only.
  • Fully patched computers (in terms of security updates) are so far not vulnerable to these attacks.
Technical information:
Numerous reports of incidents have been published recently regarding "web attacks". Cert-IST has analyzed several infected sites. It appears that these attacks are of two types:

 The first attacks that have emerged seem to be due to "SQL injection" vulnerabilities.  They impacted several web sites (including Computer Associates). The Press reported a figure of 10000 infected sites, but we have no evidence to confirm that figure. The infected sites are later modified by the attacker to force Internet users who visit them to execute a malicious JavaScript file (hosted by third-party sites like the "uc8010.com" site).

Note:
  • The name of "Mass SQL injection" is most often given to these attacks.
  • We have reported the attack for the first time on January 10, in the "crisis management hub" named "Vulnerabilities RealPlayer and exploitation", because a RealPlayer exploit has been found on those infected web sites.



 The second wave of attacks  affecting a more limited number of sites (not any figure has been reported yet). Some sources suggest that the infection may be caused by a new vulnerability in the "Cpanel" tool ("0day" attack), but there is no evidence that confirms this hypothesis. The infected sites are later modified by the attacker to force people visiting the website to execute a malicious JavaScript file. Unlike the first wave of attack, the malicious JavaScript filename is random (it has a format similar to "xxxxx.js", but the string "xxxxx" changes at each visit of the website).

Note:
  • The name "Hello Word" is most often given to this attack because some infected sites display the message "Hello Word" when a visitor is trapped.



 In both cases,  the malicious Javascript tries to infect the visitor's computer by using a series of known vulnerabilities (for which there are patches) in Internet Explorer and the Windows operating system.

Note: These attacks are some similarities with those that occurred in June 2007 (in the world and particularly in Italy), linked to the use of a "commercial" attack tool named "MPack." As a reminder, this software makes it possible to launch a variety of attacks against the computer of users connecting on a malicious Web server (which runs the "MPack" application).

Solution

01 - Cert-IST recommendations

The Cert-IST recommends the utmost vigilance when browsing the web. In particular, it is strongly recommended to keep your operating system and your Web browser up to date (fully patched).

Additional Resources

History
Version Comment Date
1.1 "Hello World" changed into "Hello Word" 17 January 2008
1.0 Potential danger creation 17 January 2008



Copyright © 1999-2005 Cert-IST. All rights reserved