Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


New Injection Attack Compromises More Than 40,000 Websites

'Nineball' exploit is distinct from Gumblar, Beladen, researchers say

A new injection attack that redirects users' Web search queries is in the wild, and researchers at Websense believe it may have already affected more than 40,000 sites.

In a blog posted yesterday, Websense researchers indicated that more than 40,000 legitimate sites have been compromised with "obfuscated code that leads to a multilevel redirection attack, ending in a series of drive-by exploits which, if successful, install a Trojan downloader on the user's machine."

When users visit one of the infected sites, they are redirected through a series of different sites owned by the attacker and brought to the final landing page containing the exploit code, the researchers say. The final landing page records the visitor's IP address.

When the site is visited for the first time, the user is directed to the exploit payload site. But if the user returns from the same IP address, he is simply directed to the benign site of Ask.com, the researchers report. This one-time download strategy may make the redirects less obvious and harder to detect, they say.

According to a spokesman, the labs first detected what appeared to be benign redirects embedded in compromised Web sites that sent users to Ask.com. "At that time, it seemed likely that hackers were looking to compromise as many sites as possible, getting their foot in the door before activating the campaign with a redirect to a malicious payload site," he says. The attackers used polymorphic code to avoid detection in these early stages.

Now the researchers understand that the malicious campaign actually began simultaneously with the Ask redirect, and the malicious payload site ninetoraq has been infecting users with malware.

Once the user's computer has been redirected from a compromised site to ninetoraq, the site attempts multiple exploits through obfuscated code targeting vulnerabilities in MDAC, AOL SuperBuddy, Acrobat Reader, and QuickTime, the spokesman says. If it finds an open hole, it drops a malicious PDF file or a Trojan that is designed to steal the user's information.

Most antivirus applications will not detect either one of these pieces of malicious code, Websense says. One of the exploits is detected by only three of the 41 most commonly used AV programs.

"The obfuscation code injected into these legitimate Web sites is somewhat random, but the deobfuscation algorithm is consistent amongst all the infections," the researchers say. "The algorithm uses the JavaScript method 'String.fromCharCode' to convert a chunk of decimal values to a string. The string obtained after deobfuscation is an iFrame that eventually leads to an exploit site."

The Websense researchers say the new attack is distinct from Gumblar or Beladen, two other injection attacks that have been redirecting users' search queries in the past month. It is possible that the same hackers might be developing the different attacks, they say.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio


Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
'BootHole' Vulnerability Exposes Secure Boot Devices to Attack
Kelly Sheridan, Staff Editor, Dark Reading,  7/29/2020
Out-of-Date and Unsupported Cloud Workloads Continue as a Common Weakness
Robert Lemos, Contributing Writer,  7/28/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-03
The SRP-6a implementation in Kee Vault KeePassRPC before 1.12.0 generates insufficiently random numbers, which allows remote attackers to read and modify data in the KeePass database via a WebSocket connection.
PUBLISHED: 2020-08-03
The SRP-6a implementation in Kee Vault KeePassRPC before 1.12.0 is missing validation for a client-provided parameter, which allows remote attackers to read and modify data in the KeePass database via an A=0 WebSocket connection.
PUBLISHED: 2020-08-03
Active IQ Unified Manager for Linux versions prior to 9.6 ship with the Java Management Extension Remote Method Invocation (JMX RMI) service enabled allowing unauthorized code execution to local users.
PUBLISHED: 2020-08-03
Active IQ Unified Manager for VMware vSphere and Windows versions prior to 9.5 are susceptible to a vulnerability which allows administrative users to cause Denial of Service (DoS).
PUBLISHED: 2020-08-03
A vulnerability in the Fanuc i Series CNC (0i-MD and 0i Mate-MD) could allow an unauthenticated, remote attacker to cause an affected CNC to become inaccessible to other devices. The vulnerability is due to improper design or implementation of the Ethernet communication modules of the CNC. An attack...