Dozens of Web sites spread malicious Trojan

Web sites victimized The following Web sites were among those compromised, according to SANS ISC: https://www.massgeneral.org mhmonline.com www.citruscollege.edu www.stariq.com www2a.cdc.gov www.surfersvillage.com www.citrus.cc.ca.us 207.178.138.47 www.nlgaming.com www.arcchart.com www.me-uk.com www.olympusamerica.com www.cabi-publishing.org www.imo.org www.pathnet.org www.vcuhealth.org www.medcompare.com ymghealthinfo.org www.zeenews.com www.pharmabrandeurope.com www.infogrip.com totallydrivers.com www.ajr.org www.offshore247.com www.massgeneral.org www.nlgaming.com www.scif.com www.speroforum.com www.betterpropaganda.com www.youandaids.org www.cottagesdirect.com www.plasticsmag.com www.healthy.net www.irinnews.org www.pubapps.vcu.edu www.generousgiving.org www.doctorndtv.com www.mcv.org www.vcuhs.org www.nordic-telecom.com www.betterpropaganda.com www.nationalmssociety.org www.nmss.org cityofboston.gov scif.ca.gov wanniski.com www.wilson.edu Source: SANS ISC

Over the weekend, Websense and researchers at the Bethesda, Md.-based SANS Internet Storm Center (ISC) discovered that dozens of additional Web sites had been compromised in the same manner, including high-profile sites belonging to organizations such as Massachusetts General Hospital, Olympus America Inc., the American Journalism Review, the National Multiple Sclerosis Society and the city of Boston.

In all, at least 50 Web sites were victimized, several of which had been compromised as far back as early January. However, Johannes Ullrich, chief research officer of the SANS ISC, confirmed that all of the high-profile sites were fixed over the weekend and they no longer pose a danger to visitors.

As was the case in the Dolphin Stadium hack, a malicious JavaScript keylogger file had been inserted into each Web site's front page header. Upon visiting the site, the script executed and attempted to download a malicious backdoor Trojan that exploited two known Microsoft vulnerabilities: MS06-014 and MS07-004.

Ullrich said the malicious Trojan originated from a domain in China, which has also been terminated. He said early evidence suggests that the likely culprit may be a Chinese gold farming syndicate linked to the online role-playing game World of Warcraft.

"It almost looks like this Chinese group had a script that looked for a particular vulnerability in an order of mass on all these sites," Ullrich said.

"There was nothing interesting about the downloader or the password stealer. They were old, uninteresting pieces of malware," said David Marcus, McAfee Inc. security research and communications manager. "But their choice of Web site (Dolphin Stadium) to host it on was quite clever."

Dan Hubbard, vice president of security research for Websense, said his organization stumbled upon the Dolphin Stadium Web site exploit when its customers called inquiring as to why its security software was automatically blocking that site.

Hubbard said that as of Sunday night, Websense's research indicated that there were about 10 known compromised sites that had not yet been repaired, none of which were considered high profile. Now that the Chinese domain spreading the Trojans has been removed from the Internet though, he said the threat is significantly mitigated.

"The Chinese domain was taken down, and though it did come back up a couple times in different locations with different IP addresses, the issue has now been taken care of at an IP level, so I wouldn't say there's any kind of elevated risk."

A spokeswoman for Massachusetts General Hospital, which operated one of the reportedly compromised domains, said she hadn't heard of an attack on the organization's Web site; two other organizations with affected Web sites did not return calls. A representative for the city of Boston was unable to confirm that its site was affected.

SANS ISC is investigating exactly what may have enabled so many Web sites to be compromised. Ullrich said his organization is working to determine whether each site had been running an unpatched version of Microsoft's Internet Information Server (IIS) software. However, he said there could be other factors involved.

"We're also looking at the apps on the servers," Ullrich said. "It could also be that they have some common content management system installed. We don't know yet."

Virtualization seemed to complicate the issue for some, as some of the victims had multiple domains compromised because its Web pages were hosted on the same server. "It wasn't like there were five or six servers compromised," Hubbard said. "A couple servers had multiple sites hosted on them. One was compromised that had virtual hosts on it."

Hubbard said Websense has attempted to contact a number of the additional organizations whose Web sites have been affected, but contacting the appropriate personnel in each organization is challenging.

"One of the great things about the Web is that you can put up a Web site in 15 minutes," Hubbard said, "but one of the bad things about the Web is that people often do that and don't understand security. It's not like you can always pick up the phone and find the person who runs each Web site."

Making matters worse, Ullrich said it's possible that more Web sites have been compromised, but have not yet been discovered. Still, Ullrich said organizations can remain safe as long as they take measures to block the Chinese domains from where the malware originated.

Hubbard said this incident serves as a lesson that most of these types of exploitations are avoidable by keeping software patches updated and diligently maintaining a log of Web site configuration changes.

Information Security magazine Features Editor Marcia Savage contributed to this report.