Author Topic: After gumblar and beladen now Nine-Ball attack!  (Read 3550 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33669
  • malware fighter
After gumblar and beladen now Nine-Ball attack!
« on: June 18, 2009, 10:05:30 PM »
Hi you malware fighters,

After the Gumblar & Beladen attacks researchers discovered yet another big attack of which at least 40.000 websites became victims. The so-called "Nine-Ball" attack, named after the site where all atacked sites re-direct to, functions in a similar way like Gumblar & Beladen attacks, re:
http://securitylabs.websense.com/content/Alerts/3421.aspx
Websites are being hacked, obfuscated code is loaded there trying to infect visitors through not patched leaks. The attackers also check whether visitors have visited the hacked site before.

If not they get an exploit for a Windows hole (MS06-014), AOL SuperBuddy, Acrobat Reader or QuickTime. Are they known, they are re-directed to another page. Via mentioned exploits a Trojan is being installed that steals private data. Out of 41 av-solutions only 7 recognized the trojan as malware and only 3 detected the PDF-exploit.

The security firm Websense has been tracking Nine Ball for a week and a half, and said compromised websites, loaded with malware, will first try to identify a web visitor by IP address to discover if it’s a repeat visitor. To evade security researchers and investigators who would likely be among any repeat visitors, the web page will dump a repeat visitor onto the search engine site Ask.com.

“Ask.com is nothing malicious, you’re just sent there if they’ve seen you before,” says Stephan Chenette, manager of security research at Websense. This type of inspection and re-direction is becoming commonplace in web attacks as a way to evade investigation, he points out.

If a web visitor is new, the victim is pushed through a few more re-directions to land at the site www.nine2rack.in, which may sound like a site in India, but is in Ukraine, Websense believes. The URL inspired Websense to name the attack method Nine Ball.

Is not it time for webmasters and web admins to wake up to this situation, and why the slackness in patch routine (this is also the case with the larger majority of web browser users),

The MS06-014 exploit code will download a Trojan dropper with low AV detection rate*. This dropper drops a dll with the name SOCKET2.DLL to Windows' system folder. This file is used to steal user information. The malicious PDF file, served by the exploit site, also has very low AV detection rate**..."
* http://www.virustotal.com/analisis/62254bf6a13a438bc53c0f3745c622c5c1604aa37e4f866036a1e94c35cc68f7-1245137075
File l.php ... Result: 7/40 (17.50%)

**  http://www.virustotal.com/analisis/f9565077d685764b9e219358d4a64e2165fd8ac157fa46c955a5e35112aad894-1245160253
File PDF.php ... Result: 3/41 (7.32%)     avast and associates detect (2)


polonus
« Last Edit: June 19, 2009, 12:12:01 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33669
  • malware fighter
Re: After gumblar and beladen now Nine-Ball attack!
« Reply #1 on: June 22, 2009, 10:23:14 PM »
Hi malware fighters,

Here you can read how ScanSafe reacted on this over-hyped issue put forward by Websense:
http://blog.scansafe.com/
There never were 40.000 infected sites, merely 66!

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!