Friday, August 21, 2009

Mass Compromise of Sites with Webalizer

The eSoft Threat Prevention Team has been tracking a rapidly growing pattern in website exploits over the last 24 hours. Since Thursday, Aug 20 eSoft has seen over 6,000 compromised URLs of the pattern:

http://www.example.com/webalizer/050709wareza/crack=28=keygen=serial.html

And the numbers are growing at a rate of several hundred per hour. A google search for inurl:050609wareza shows around 30,000 such compromised sites.

The compromised sites typically have nonsense text and a series of pictures of pills with links to more compromised sites and dangerous scripts that trigger well known exploits including the recent exploit of the ActiveX streaming video control, discussed in this eSoft security bulletin:

http://www.esoft.com/alerts/cve-2008-0015.cfm.


In some cases, such as when eSoft researchers tried navigating to a compromised site using Firefox on Windows, a redirection to files express occurs:


In testing, when the exploit is successful, it seems to be an information stealing Trojan, though the payload has varied. As the payloads seem to have weak coverage by AV companies and seem to be changing frequently, blocking the offending websites is the best solution for preventing infection.

eSoft’s threat prevention team notes that around 1/3 of the compromised sites include a webalizer directory, which may indicate a correlation with a recently published webalizer exploit. This exploit allows an attacker to execute arbitrary code, often with elevated privileges. More information on this exploit can be located below. It is recommended that administrators configure webalizer to not do reverse DNS lookups until a patch is released.

http://linuxdevcenter.com/pub/a/linux/2002/04/16/insecurities.html


eSoft will continue to cover this threat and continue to protect customers from these websites by flagging them as Compromised. At the start of research, Google had very few of these sites flagged as malicious, but it seems that increasing numbers are being identified by their cloud security as well. Other security engines tested including Web of Trust, Norman, and Mcafee SiteAdvisor have very poor detection of these sites at this time.

No comments: