Hi you malware fighters,
After the Gumblar & Beladen attacks researchers discovered yet another big attack of which at least 40.000 websites became victims. The so-called "Nine-Ball" attack, named after the site where all atacked sites re-direct to, functions in a similar way like Gumblar & Beladen attacks, re:
http://securitylabs.websense.com/content/Alerts/3421.aspxWebsites are being hacked, obfuscated code is loaded there trying to infect visitors through not patched leaks. The attackers also check whether visitors have visited the hacked site before.
If not they get an exploit for a Windows hole (MS06-014), AOL SuperBuddy, Acrobat Reader or QuickTime. Are they known, they are re-directed to another page. Via mentioned exploits a Trojan is being installed that steals private data. Out of 41 av-solutions only 7 recognized the trojan as malware and only 3 detected the PDF-exploit.
The security firm Websense has been tracking Nine Ball for a week and a half, and said compromised websites, loaded with malware, will first try to identify a web visitor by IP address to discover if it’s a repeat visitor. To evade security researchers and investigators who would likely be among any repeat visitors, the web page will dump a repeat visitor onto the search engine site Ask.com.
“Ask.com is nothing malicious, you’re just sent there if they’ve seen you before,” says Stephan Chenette, manager of security research at Websense. This type of inspection and re-direction is becoming commonplace in web attacks as a way to evade investigation, he points out.
If a web visitor is new, the victim is pushed through a few more re-directions to land at the site
www.nine2rack.in, which may sound like a site in India, but is in Ukraine, Websense believes. The URL inspired Websense to name the attack method Nine Ball.
Is not it time for webmasters and web admins to wake up to this situation, and why the slackness in patch routine (this is also the case with the larger majority of web browser users),
The MS06-014 exploit code will download a Trojan dropper with low AV detection rate*. This dropper drops a dll with the name SOCKET2.DLL to Windows' system folder. This file is used to steal user information. The malicious PDF file, served by the exploit site, also has very low AV detection rate**..."
*
http://www.virustotal.com/analisis/62254bf6a13a438bc53c0f3745c622c5c1604aa37e4f866036a1e94c35cc68f7-1245137075File l.php ... Result: 7/40 (17.50%)
** http://www.virustotal.com/analisis/f9565077d685764b9e219358d4a64e2165fd8ac157fa46c955a5e35112aad894-1245160253
File PDF.php ... Result: 3/41 (7.32%) avast and associates detect (2)
polonus
