Endpoint Protection

Global mass injection affects thousands of websites worldwide 

01-22-2016 09:10 AM

global-mass-infection-header_0.jpg

Contributor: Roberto Sponchioni

It didn’t take long for 2016 to present a global infection. After only a few days into the new year, Symantec telemetry registered significant spikes in detections for the Intrusion Prevention System (IPS) signature Web Attack: Mass Injection Website 19. This signature is used to detect when a hidden script injected in a compromised website is used to redirect users to a website hosting malicious code. It is triggered when a user browses a compromised website.

figure-1-diagram_0.png
Figure 1. Detections for Web Attack: Mass Injection Website 19

Attempts to access the malicious websites were mostly seen in the United States (47 percent), followed by India (12 percent), then the United Kingdom, Italy, and Japan (6 percent each).

figure-2-diagram_0.png
Figure 2. Percentage of detections for Web Attack: Mass Injection Website 19 by country

Symantec identified thousands of websites that had been injected with script code to redirect to additional scripting code. Of the compromised websites, 75 percent were located in the US. The websites injected with script code can be of any type and target a variety of organizations, including the following:

  • Business websites
  • .edu websites
  • Government websites

Fig3_17.png
Figure 3. Location of affected websites

The compromised websites we investigated all used a common content management system. More than likely the attackers are using automated scripts to scan these websites so they can automatically exploit bugs and possibly inject malicious HTML code into the vulnerable sites.

The malicious code injection can be seen in the HTML source code of these infected websites. Figure 4 shows the injected code before the </head> tag.

Fig4_14.png
Figure 4. Malicious code injection

Once a compromised page has loaded in the user’s browser, the malicious script waits 10 seconds and then runs remote JavaScript code, which in turn runs additional scripts. There are typically two to five additional scripts included as a chain to hide the infection from the victim.

These scripts may be able to collect the following information:

  • Page title
  • URL page address displayed by the browser
  • Referrer—so the attackers know how the user ended up on the current page and to possibly collect information about search term queries
  • Shockwave Flash version
  • User language
  • Monitor resolution
  • Host IP address

Symantec did not identify any malware associated with this injection attack. Based on our tests the script chain does not lead to any malicious downloads. It is likely that the attacks are a reconnaissance activity to learn more about users and utilize that information in another attack. The possibilities for future attacks include the delivery of advertisements, SEO poisoning attacks, or criminals modifying the code to deliver malware and compromise unprotected users.

Mitigation
Symantec recommends that web administrators check to ensure that the malicious code found in Figure 4 is not present on their website. Changing the admin password is not sufficient and the website must be completely sanitized. To accomplish this, we recommend running a full antivirus scan, checking the files on the webserver to remove any back doors, and then changing the administrator password.

Protection
Norton Security, Symantec Endpoint Protection, and other Symantec security products protect users against these redirections with the following detection:

Intrusion Prevention System

Statistics
0 Favorited
0 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Related Entries and Links

No Related Resource entered.