Alerts


Mass Injection Compromises More than Twenty-Thousand Web Sites

Date:05.29.2009

Threat Type: Malicious Web Site / Malicious Code

Websense Security Labs™ Threatseeker™ Network has detected that a large compromise of legitimate Web sites is currently taking place around the globe. Thousands of legitimate Web sites have been discovered to be injected with malicious Javascript, obfuscated code that leads to an active exploit site. The active exploit site uses a name similar to the legitimate Google Analytics domain (google-analytics.com), which provides statistical services to Web sites.

This mass injection attack does not seem related to Gumblar. The location of the injection, as well as the decoded code itself, seem to indicate a new, unrelated, mass injection campaign.

more inforation online here:

http://securitylabs.websense.com/content/Alerts/3405.aspx


addditional information below

Tens of thousands of web sites fall victim to a mass hack attack:

http://www.h-online.com/security/Tens-of-t...k--/news/113442




Sabu

I have a list of the attack sites (446 so far) and will start blocking IP
ranges as I analyze the list, starting with the first layer of redirectors.

First batch:

(Mass injection attack) armsart.com:208.43.17.250-208.43.17.250
(Mass injection attack) acglgoa.com:209.62.86.113-209.62.86.113
(Mass injection attack) idea21.org:66.249.130.142-66.249.130.142
(Mass injection attack) yrwap.cn:222.191.251.174-222.191.251.174
(Mass injection attack) s4d.in:66.7.219.192-66.7.219.192
(Mass injection attack) dbios.org:66.147.242.168-66.147.242.168

Elapsed time: 35 seconds. Take that, sucka!

10% of the long list scanned. It looks like about half are offline and these
scammers are relying heavily on compromised servers on ThePlanet.


2 minutes later:
This one looks important, so I'll block it before the list is done:
(Mass injection attack) vvexe.com:60.190.216.2-60.190.216.2



5 minutes later:
If you have AdBlock Plus, add this to your blocks: http://*/h.js

ucmal.com was already in my HOSTS list for something else.
It is also in a ThePlanet range.



10 minutes later:
Scan 20% complete. A lot of them are offline, perhaps extra names to slow
down blocking efforts or spares...

20 minutes:
50% done. Looks like only around 10% of them actually exist so far...



26 minutes:
This one looks important, so I'll block it now:
(Mass injection attack) you69tube.com:72.167.37.109-72.167.37.109



30 minutes:
This looks like it's home.
(Mass injection attack) NOVIKOV-NET:91.207.61.0-91.207.61.255
It's starting to look like an RBN operation.

www.dota11.cn was also already in my HOSTS file.....

40 minutes:
Definitely something suspicious about this guy. Lots of reports of exploits:
(Mass injection attack) Novikov, Aleksandr Leonidovich:91.207.60.0-91.207.61.255



50 minutes:
Almost done. Looks like it won't take many blocks to cover it....

Here we go. The whole set, including the ones already blocked


60.31.177.179 www.loveqianlai.cn, www.qq117cc.cn, www.hiwowpp.cn, www.qqcc123.cn, www.o1o2qq.cn, www.maigol.cn
60.190.216.2 vvexe.com
61.152.244.82 shygddc.cn
63.119.44.197 www.tlcn.net
64.70.19.33 sb.5252.ws
66.7.219.192 s4d.in
66.147.242.168 dbios.org
66.249.130.142 idea21.org
69.64.147.209 cc.18dd.net, ucmal.com
69.64.147.211 cmiia.com
69.64.147.217 ww.xnibi.com
69.64.155.119 www.adw95.com
69.64.155.122 c.uc8010.com, n.uc8010.com, t.uc8010.com
69.64.155.124 001yl.com
69.64.155.126 www.refer68.com
74.55.100.8 a188.ws
72.167.37.109 you69tube.com
74.200.220.214 www.fucksb.net
74.208.64.145 b15.3322.org
80.244.188.87 w11.6600.org
83.138.132.212 d39.6600.org
87.242.78.57 chat27.by.ru
96.9.152.44 go.nnd.hk
115.28.220.128 www.chliyi.com
118.102.24.109 www.nihao112.com, www.bluell.cn, 17gamo.com, i8jdd.cn, chanm.cn, 52-o.cn
119.10.160.47 www.wakasa.or.jp
120.50.34.232 www.heiheinn.cn, www.j8j8hei.cn
121.11.76.85 jjmaobuduo.3322.org, jjmaoduo2.3322.org
124.42.34.168 www.nihaoel3.com, www.qiqi111.cn, www.117275.cn, b.kaobt.cn, mo98g.cn, o7n9.cn
124.42.34.172 www60.actualization.cn
125.46.57.157 www.ba1do.com
125.67.234.95 d.388b.cn
159.226.7.162 www.wowyeye.cn
174.36.149.93 s.see9.us, kk6.us
174.37.157.248 tjwh202.162.ns98.cn, www0.douhunqn.cn, www2.s800qn.cn, sdo.1000mg.cn, www3.800mg.cn, a814.cn,
174.37.157.249 vb008.cn
202.104.186.6 bc0.cn
204.13.161.103 www.ausadd.com
205.209.137.110 www.11910.net
208.43.17.250 www.armsart.com, armsart.com
208.73.210.121 www.banner82.com, www.destbnp.com, 3.trojan8.com
208.109.183.239 mvoyo.com
209.62.86.113 acglgoa.com
209.172.59.196 www.gbradde.tk
210.183.36.188 m11.3322.org
211.99.4.238 newasp.com.cn, xvgaoke.cn, smeisp.cn
211.155.25.39 1.hao929.cn
216.188.26.161 free.hostpinoy.info
216.188.26.162 www.xiaobaishan.net, www.msshamof.com
216.245.201.208 teiri.cn, mcuve.cn
216.34.131.135 rnmb.net
216.8.179.24 free.edivid.info
218.57.8.144 a.13175.com
218.61.15.243 www.bluexzz.cn
219.150.143.53 iwdown.com
221.130.185.24 www.ko118.cn
221.206.20.141 www.wowofmusiopl.com.cn
222.191.251.174 yrwap.cn


Not so big after all, eh?

The server failed as I was entering this list:I'll finish up tomorrow.

With all of the attack sites entered, I'll stroll down the list and get
background on the ISPs and hosts they are using. This'll take a while
but the info will be useful later and I'll probably find some ranges to
block for various reasons.

how did you manage to get your hands on a list of attack sites? it must have taken some impressive mining.

I just followed the posts on the topic. One post had a batch of addresses
extracted from the malware. Other posts had more details on servers
and ranges and the main exploit server, which was never named, was
tracked to a range belonging to "Aleksandr Leonidovich Novikov"

It was a pretty easy trail of breadcrumbs to follow. The work was
in matching host names to IP addresses and getting background
on all the hosting providers or companies whose servers were
compromised and being used by the exploits.

One cute coincidence:
The site called www.gbradde.tk used to be antipiratbyran.tk last June.