Another Mass Compromise at a Hosting Facility - TrendLabs | Malware Blog - by Trend Micro

December 18, 2007 by Chris Mosby · Leave a Comment
Filed under: Tech Stuff 

Any of you bloggers out there using iPowerWeb??  If you are, you might want to check your site!!

Another Mass Compromise at a Hosting Facility - TrendLabs | Malware Blog - by Trend Micro

Another Mass Compromise at a Hosting Facility

December 15th, 2007 by Feike Hacquebord

This week, hundreds of Web sites of the customers of Web hosting
company iPowerWeb got compromised. This incident shows an interesting
mix of hacking technology, Google index poisoning and social
engineering.

A malicious third party added extra directories to the hacked Web
sites and seemingly installed scripts in these new directories that
will redirect victims to traffloader.info. This latter site will
further redirect to sites that attempt to lure Internet users into
installing a codec Trojan, a Zlob Trojan or rogue antispyware.

The redirection to the malicious sites with Trojans only happens
when victims land on the hacked Web site via a Google search. To get
actual traffic to the compromised sites, the hackers poisoned the
Google index database with tens of thousands of hacked URLs. Yesterday,
well-chosen queries into Google showed about 60,000 malicious URLs
hosted on Web sites of iPowerWeb indeed.

One of the tactics used in poisoning Google’s index is that the
malicious URLs appear as “normal” SEO (search engine optimization) spam
Web sites to the Googlebot that crawls the sites. Normal Internet
users, however, are confronted with a malicious redirection instead
(when they arrive at the site via a Google search). So, here, SEO spam
techniques are combined with Trojan infection chains and social
engineering.

The mass compromise might be the result of a security breach of just
a few servers of iPowerWeb. One possible scenario is that hackers got
root permissions on shared webservers and were therefore able to modify
webserver settings. Another scenario is that the hackers successfully
installed a Trojan on an iPowerWeb server, that is able to change
network traffic in a local area network. Once such malicious software
gets installed, all Web sites hosted on different servers in the local
area network may appear as compromised from the outside, while the
contents of the Web sites were actually not changed at all on the
physical hard drives. The attacker just injects his malicious code in
the network traffic between the Web sites and Internet users.

The danger of these attacks shows the need for continuous scanning
of servers at hosting facilities for malicious content like Trojans and
exploits.

Powered by ScribeFire.

Tags: