Hijacking blog strikes

Christoph Alme, Team lead of Secure Computing's Anti-Malware Research Labs

Hijacking blog strikes

The infamous Storm Worm has yet to find a resting place and today's malware threats are nastier and more cunning than ever before. Malware writers are no longer attacking organisations simply out of malice, for questionable fame. Attacks have become targeted as the newly evolved hacker has surfaced: attacking organisations for financial gain is now at the top of the hackers' agenda.

As malware is predicted to increase by a staggering 400% by the end of this year, the evolving threat landscape has another contender. The hijacking blog has entered the arena by compromising web servers worldwide. The hacked websites display different content, depending on whether you access them directly or through a search engine query.

What's alarming about the hijacking blog is that it presents a new way to hide malicious code for malware writers. The infection injects the malicious code "Script.Redirector.A" into Cascading Style Sheets (CSS), which can be seen on about 100 unique web pages visited every day. The total number of web pages infected to date is estimated to be more than 10,000.

Malware writers conceal the malicious code within the web pages' CSS, used for formatting and until now easily overlooked. Traditionally malicious code has been injected into HTML pages on compromised legitimate servers.

Following an attack, the hacked website displays different content, depending on whether it is accessed directly or through a search engine query. Upon first inspection it looks to be legitimate however, a black website is presented to viewers directed to the site from search engines, resembling that of a blog site.

If the source code of the website is examined, it may become apparent that the CSS is infected by suspicious JavaScript code. After decompilation of the obfuscated code, references to files named "check.js" and "dummy.htm" appear on the same server. Affected web pages are mostly ".com," ".net" and ".org" domains, but also on country domains such as Germany and France.

Website administrators should take very seriously reports from visitors advising of abnormalities on the website. By implementing a firewall with application-layer defences to protect sites against SQL injection and Apache server vulnerabilities, these attacks can be avoided. In addition, it is advisable to check the CSS files for modifications and the presence of suspicious script code. Web administrators need to ensure the necessary defences are in place, otherwise the internet will continue to be a playground for malware writers to wreak havoc.

For users who want to enjoy the internet safely, having anti-virus software installed and up to date is mandatory. While applying one's common sense and avoiding shady websites remains one cornerstone of a secure computing experience, malware today also lingers on websites that had been perfectly legitimate and trustworthy only a few days ago.