NOW READ THIS
("Security Advisory")
Submitted by: Bill Hickey
NCVA List Master
NRT-0365 Mass Host Attack Larger than First Thought:
A large-scale hack of legitimate web sites to infect visitors' PCs is much more massive
than first thought, researchers said. At least 10,000 sites have been compromised, which
hijacked unpatched systems that steered to their URLs. On Monday, 14JAN, a senior security
researcher at ScanSafe Inc. said that she had uncovered hundreds of sites which had been
hacked and were feeding exploits to visitors. On Tuesday, senior researcher with Atlanta-
based SecureWorks Inc. said the number was considerably larger. According to ScanSafe's data,
approximately 10,000 sites hosted on Linux servers running Apache, the popular open-source
web server software, have been hacked, most likely with purloined log-in credentials. Those
servers have been infected with a pair of files that generate constantly changing malicious
Javascript. When visitors reach the hacked site, the script calls up an exploit cocktail
that includes attack code targeting recent QuickTime vulnerabilities, the long-running
Windows MDAC bug, and even a fixed flaw in Yahoo Messenger. If the visitor's PC is unpatched
against any of nine exploits, it's infected with a new variant of Rbot, the notorious backdoor
Trojan. The end result: The PC is added to a botnet. Users can protect themselves from
attack by making sure all software on their systems is patched and that their security
software signatures are up-to-date. They also recommend web site administrators should
disable dynamic loading in their Apache module configurations.
(ComputerWorld 18JAN08)