One of the largest Web site exploits/compromises ever has hit the Web, with more than 10,000 compromised computers redirecting unsuspecting visitors to sites hosting malicious software payloads.
Most of the compromised sites — 78 percent in total — are in Italy but it is spreading around the world, according to Paul Ferguson, network architect with antivirus vendor Trend Micro. The compromised sites aren’t the usual suspects, like porn, music swapping or piracy, but are legitimate sites for news, entertainment or information.
Because so many computers were hit at once, he suspects the bad guys behind it found a way to automate distribution of the payload.
This hack involves more than 10,000 compromised sites, meaning some manner of automating the process of distributing the code was done, said Ferguson.
The compromised sites examine the visitor’s system and determine what if any vulnerabilities exist on the system. They are then redirected to a computer with a malicious payload that takes advantage of the unpatched system.
“For systems that are completely patched, they are pretty much not at risk, but there are millions of consumers out there not [fully patched],” Ferguson told internetnews.com. “It used to be we could tell customers only go to Web sites that are trusted. Unfortunately in this situation, that advice doesn’t hold water because it’s so broad.”
As if 10,000 compromised Web sites isn’t enough, victims are redirected to sites hosting a new and improved version of WebAttacker, a do-it-yourself malware kit that makes it relatively easy to build exploits, Trojans, keyloggers and other malicious software.
While most of the compromised Web sites are in Italy, Ferguson said most of the sites hosting WebAttacker are in the U.S. However, Trend Micro has not been able to reach the site administrators and has enlisted the help of law enforcement, so those sites owners will be receiving a visit from their local authorities shortly.
End users should ensure they have patched their computer fully, and for extra security, consider a redirect blocker, which is available for Firefox. Antivirus software will catch the malicious payload being sent by the sites hosting WebAttacker, but as Ferguson points out, all it takes is a minor change to that code and antivirus programs might not recognize them.
Trend Micro’s ongoing effort to track the exploits can be found on its blog.
The compromise is reminiscent of the iframe redirect hack that was embedded into the homepage of Dolphin Stadium, the home arena of the Miami Dolphins football team and host to the most recent Super Bowl. A redirect would send visitors to the site, which saw inordinate traffic due to the Super Bowl, to a site that served up known compromises in Windows.