Researchers Uncover 40,000 Compromised Sites

Researchers at Websense uncover a mass compromise of legitimate sites in an attack called Nine-Ball that is redirecting users to a malicious site hosting malware

More than 40,000 legitimate Websites have been hit by an attack that is redirecting users to a site laced with malware.

The “Nine-Ball” compromise, which officials at Websense said they have been monitoring since June 3, has been dubbed Nine-Ball after the malicious site it directs users to.

“We are not releasing the names of the sites compromised,” said Stephan Chenette, manager of threat research at Websense. “We’ve attempted to contact a subset of the compromised sites to let them know that they’ve been infected … No particular vertical was targeted.”

The attack appears to be the end result of handiwork by a Trojan that swiped FTP credentials from the site owners, Chenette said. Once they had the credentials, the attackers inputted them to automated bots and obtained control of content across thousands of sites.

When users visit one of those sites they are bounced around between a series of different sites owned by the attacker until they are brought to the final landing page containing the exploit code. Once there, the user is subjected to drive-by attacks attempting to exploit various Microsoft, Adobe Reader and QuickTime vulnerabilities. If successful, the user will be served a Trojan dropper with a low detection rate.

In a bit of ingenuity, in a bid to sniff out security researchers, the compromised sites are set to check if they have been visited more than once by the same IP address. If a visitor has been to the site more than once, he or she will be directed to ask.com instead of to the attack site.

While Nine-Ball is the third mass Website compromise report to make headlines in recent weeks, Chenette said it appears to be distinct from the others.

“The Nine-Ball mass compromise is not related to either Beladen or Gumblar, but like the previous mass compromises, many of the machines owned by the attacker are located in the Ukraine,” Chenette said.

“At any given time, Websense Security Labs is tracking a handful of mass compromises,” he added.