Broad Web Hack Hits Thousands of Servers

By Michael Santo
Editor-in-Chief, RealTechNews

Kaspersky Labs warned on Friday that hackers have launched a huge Internet hacking effort, posting malicious links on as many as 10,000 servers. The end result of the hack is that surfers may end up at a malicious server located in China, vvexe.com. Exploits are then used to launch an attack on the user’s machine.

Norton Safe Web and StopBadWare.org have reports on that site.

Once again, if you’re patched, and have up-to-date antivirus and security software, you would probably be safe from surfing to one of these sites. One question is: how are the websites being compromised, and Kaspersky hasn’t managed to determine that yet. An earlier attack this year affected 1.5 million servers, so in comparison this is small, but the attack has just begun, Kaspersky warned.

How do the attacks work?

The attackers add a tag to the html of hacked sites.

The link leads to Java Script located on one of six servers – these servers act as gateways for further redirecting of requests. We’ve identified six of these gateways and they’ve been added to the blacklist in our antivirus:

• armsart.com
• acglgoa.com
• idea21.org
• yrwap.cn
• s4d.in
• dbios.org

Visiting one of the sites results in a secret redirect to a malicious server called vvexe.com which is located in China. Exploits are then used to launch an attack on the user’s machine.

If your machine is vulnerable to even one of these exploits, then it’ll be infected by another malicious program, Trojan-Downloader.Win32.Hah.a.

This Trojan is able to download yet more malicious programs – and details of these programs are in a dedicated configuration file on the vvexe.com site.

Today, we’ve seen three malicious programs being downloaded:

Trojan-GameThief.Win32.WOW.cer – a Trojan designed to steal account data from World of Warcraft accounts

Trojan-Spy.Win32.Pophot.gen – another spy program which steals data and also tries to delete a whole range of antivirus solutions
Trojan.Win32.Agent.alzv – this Trojan downloads yet more Trojan spy programs: Trojan-PSW.Win32.Delf.ctw,
Trojan-PSW.Win32.Delf.ctx,
Trojan-PSW.Win32.Delf.cty.

As I said, Kaspersky still has not determined how the sites are being compromised, but there are two scenarios which they say are the most likely: using SQL injection or using accounts to the sites which had already been stolen. They also noted that one common factor is that the majority of the hacked sites run on some type of ASP engine.