UPDATED: UK sites involved in massive website hack

Many specialist UK websites have been used to spread a particularly difficult track form of malware that is capable of dynamically changing its code.

The only thing to link the several hundred compromised sites, other than the fact that many of them are small UK-based retail outfits like a bicycle shop and speciality travel firm, is the fact that all their affected domains have, or had, a relationship with the UK's biggest web hosting company Fasthosts, according to the security researcher at ScanSafe who first spotted the attack.

Fasthosts' systems called in the police to investigate a security breach in October last year that forced the provider to ask users to change their passwords.

Mary Landesman, senior ScanSafe security researcher wrote yesterday in her blog: "The attacks are not compromised sites, but rather what we suspect to be the result of a Loadable Kernel Module (LKM) backdoor, i.e. a rootkit-enabled backdoor planted on the host server. What we don't know, but hope to discover, is how the backdoor was planted on the host servers."

She added that the attack is characterised by its generation of random files names and dynamic code changes that make it difficult to track.

"When a site is compromised and retrofitted to deliver malware it's in the form of a static iframe which references a remote website," she said. "But this current attack is substantially different."

The referenced JavaScript file only exists when the user accesses the page and does not persist on the site. "In other words, an admin perusing the site looking for these rogue JavaScript files would not find any visible signs," said Landesman.

These randomly named and dynamically created JavaScript references and files are also randomly delivered to the same internet protocol [IP] multiple times.

Landesman speculated that the malware causing the attacks, which is similar to the recent static SQL injection attacks that compromised hundreds of Fortune 500 companies and companies and redirected users to the 'uc8010.com' domain to steal passwords, could have been recently activated in a compromised server.

ScanSafe advised that JavaScript malware file includes multiple exploits, including an 18-month-old Microsoft Data Access Components (MDAC) vulnerability and a recently spotted flaw in Apple's QuickTime media player real time streaming protocol (RTSP).

Successful attacks infect the user's computer with a Trojan, which can allow a hacker to install further spyware or keylogging software.

Fasthosts told IT PRO it was aware of press coverage and comments made on blogs discussing both a network intrusion on a Fasthosts server last year and recently reported instances of malware attack on the internet.

Richard Stevenson, Fasthosts spokesman said: "As a result, Fasthosts is conducting an investigation into the issues raised and the technical comments made within the articles."

But he said that at this initial stage there were technical discrepancies that would suggest that Fasthosts was not connected with these malware issues.

"For example, Fasthosts does not deploy cPanel in its shared or dedicated platform," said Stevenson, referring to website administration control panel mentioned by ScanSafe as a 'near constant presence' and possible factor in the spread of the attacks.

He continued: "While it is not possible to comment on a list of domains that Fasthosts has not been privy to, the full details of these domain names will be requested in order for Fasthosts to carry out this investigation.

"Fasthosts can confirm that it has to date received no evidence on such an issue, nor has it been approached by any customer with this concern," he said.

"The security of customers' website data remains of paramount importance to Fasthosts."

Email to a friend

Print this page

Social Bookmark this article: What is this?

Digg

Delicious

Reddit

StumbleUpon

Slashdot

Google

Facebook