Following a high-profile Web site hack Friday, malware hunters have
discovered that as many as 50 other Web sites across the Internet
were compromised by malicious attackers, and could have been
infecting visitors' machines with dangerous malware as recently as
Sunday.
Friday, San Diego-based Websense Inc.'s Security Labs unit
discovered that attackers had successfully compromised the Web site
of Miami's Dolphin Stadium, home of last Sunday's Super Bowl XLI.
Over the weekend, Websense and researchers at the Bethesda,
Md.-based SANS Internet Storm Center (ISC) discovered that dozens
of additional Web sites had been compromised in the same manner,
including high-profile sites belonging to organizations such as
Massachusetts General Hospital, Olympus America Inc., the American
Journalism Review, the National Multiple Sclerosis Society and the
city of Boston.
In all, at least 50 Web sites were victimized, several of which
had been compromised as far back as early January. However,
Johannes Ullrich, chief research officer of the SANS ISC, confirmed
that all of the high-profile sites were fixed over the weekend and
they no longer pose a danger to visitors.
As was the case in the
Dolphin Stadium hack, a malicious JavaScript
keylogger file had been inserted into each Web site's front page
header. Upon visiting the site, the script executed and
attempted to download a malicious backdoor Trojan that exploited
two known Microsoft vulnerabilities: MS06-014 and MS07-004.
Ullrich said the malicious Trojan originated from a domain in
China, which has also been terminated. He said early evidence
suggests that the likely culprit may be a Chinese gold farming
syndicate linked to the online role-playing game World of
Warcraft.
"It almost looks like this Chinese group had a script that
looked for a particular vulnerability in an order of mass on all
these sites," Ullrich said.
"There was nothing interesting about the downloader or the
password stealer. They were old, uninteresting pieces of malware,"
said David Marcus, McAfee Inc. security research and communications
manager. "But their choice of Web site (Dolphin Stadium) to host it
on was quite clever."
Dan Hubbard, vice president of security research for Websense,
said his organization stumbled upon the Dolphin Stadium Web site
exploit when its customers called inquiring as to why its security
software was automatically blocking that site.
Hubbard said that as of Sunday night, Websense's research
indicated that there were about 10 known compromised sites that had
not yet been repaired, none of which were considered high profile.
Now that the Chinese domain spreading the Trojans has been removed
from the Internet though, he said the threat is significantly
mitigated.
"The Chinese domain was taken down, and though it did come back
up a couple times in different locations with different IP
addresses, the issue has now been taken care of at an IP level, so
I wouldn't say there's any kind of elevated risk."
A spokeswoman for Massachusetts General Hospital, which operated
one of the reportedly compromised domains, said she hadn't heard of
an attack on the organization's Web site; two other organizations
with affected Web sites did not return calls. A representative for
the city of Boston was unable to confirm that its site was
affected.
SANS ISC is investigating exactly what may have enabled so many
Web sites to be compromised. Ullrich said his organization is
working to determine whether each site had been running an
unpatched version of Microsoft's Internet Information Server (IIS)
software. However, he said there could be other factors
involved.
"We're also looking at the apps on the servers," Ullrich said.
"It could also be that they have some common content management
system installed. We don't know yet."
Virtualization seemed to complicate the issue for some, as some
of the victims had multiple domains compromised because its Web
pages were hosted on the same server. "It wasn't like there were
five or six servers compromised," Hubbard said. "A couple servers
had multiple sites hosted on them. One was compromised that had
virtual hosts on it."
Hubbard said Websense has attempted to contact a number of the
additional organizations whose Web sites have been affected, but
contacting the appropriate personnel in each organization is
challenging.
"One of the great things about the Web is that you can put up a
Web site in 15 minutes," Hubbard said, "but one of the bad things
about the Web is that people often do that and don't understand
security. It's not like you can always pick up the phone and find
the person who runs each Web site."
Making matters worse, Ullrich said it's possible that more Web
sites have been compromised, but have not yet been discovered.
Still, Ullrich said organizations can remain safe as long as they
take measures to block the Chinese domains from where the malware
originated.
Hubbard said this incident serves as a lesson that most of these
types of exploitations are avoidable by keeping software patches
updated and diligently maintaining a log of Web site configuration
changes.
Information Security magazine Features Editor Marcia Savage
contributed to this report.