• Search Blog Archives

  • Recent Posts

  • Archives

  • Categories

  • Websense

  • Security Sites

Follow us: 
Like us on Facebook Follow us on Twitter Visit us on YouTube Get Websense Security Labs alerts delivered to your inbox Follow us on LinkedIn

Rogue AV Injection Campaign Targeting Web Hosting Networks
Posted: 07 Sep 2010 06:59 AM

Websense® Security Labs™ ThreatSeeker™ Network has discovered that a mass injection attack targeting Web hosting networks is spreading in the wild. Users visiting these compromised sites will be redirected to rogue AV sites.

 

Websense ThreatSeeker Network detected this large-scale break out of  the campaign recently. The targets are four well-known Web hosting providers: BlueHost, DreamHost, Bizland and Go Daddy. According to our statistics, approximately 38% of the compromised sites in this campaign are hosting in Bluehost, and nearly 97% of the sites compromised by the attack are from the above four Web hosting companies.


This shows the number of compromised sites we have monitored in the last week:


 

Below is the distribution ratio of hacked Web hosting companies:

 

 

 

The cybercriminals use similar injections to insert a PHP link in a script tag at the bottom of each compromised page, as shown below:

 


The major injected URLs used in the attack are:

 

 

Most of the above sites were registered between May and July by the same person using two free mailboxes. From the payloads we found that they all redirected to rogue AV pages which use .co.cc as their top-level domain.

 

Below is one of the payloads from whereisdudescars.com:

 

 

It will lead users to rogue AV sites and force them to download their fake antivirus software, which has low coverage by Virustotal detection.

 

 

 

Websense TRITON Advanced Classification Engine (ACE) is protecting customers against this attack. We will continue to monitor and update it.


Filed under: ,

Xue Yang

3 comment(s)

Comments

  Marq said on Tuesday, September 07, 2010 1:02 PM

Your pie chart of compromised web hosting companies is way too simplified ( or in error ).

Here is a listing of over 260 hosting servers that have been compromised - with their web sites dealing out malware code or zombies that are using the compromised hosting servers to expand their networks and seek out other boxes to compromise :

www.infosyssec.com/.../viewtopic.php

And here is a listing over 500 hosting servers that have been compromised and used as described above.

www.infosyssec.com/.../viewtopic.php

These were active in a one week period.

But overall, the premise of your story is fatally correct.   Hosting servers and compromised web sites have become a favorite of the malware and Bot crowd.

I suspect they have found that the huge bandwidth pipes and cranked up servers are well suited to their mal-intentions.

Possibly they are also shying away from wasting their time compromising personal computers because they have found that poorly administered hosting companies are slow to detect or cleanse their infected servers or hosted web sites.

Marq

.

  Thomas J. Raef said on Wednesday, September 08, 2010 6:19 AM

We've also been seeing another domain: drea[REMOVED]usion.co.cc used in this same infection.

  Xue Yang said on Thursday, September 09, 2010 12:31 AM

Web hosting services is indeed a large target for hackers now, but the ones we are discussing are different from the one Marq mentioned above, they are not the same attack campaign.



Leave a Comment

(required) 

Email address: (required) 
 
  
 


©2012 Websense, Inc. All Rights Reserved.