No laughing matter - hacked websites in Oz

Filed Under: Malware, SophosLabs, Vulnerability

Readers will no doubt have read numerous postings and articles about the use of compromised sites in malicious attacks (the de rigeur technique for malicious code delivery currently). Unfortunately there are many 'ways in' (vulnerabilities in libraries, cross-site scripting (XSS) attacks, web application vulnerabilities, poorly secured web servers to name but a few), and in many cases, limited ability to identify and resolve compromised pages. A significant percentage of sites are outsourced to web development companies as a one-off exercise. Little consideration is given to requirements such as ongoing site maintenance, security etc.

Over the past week or so SophosLabs have become aware of several web sites hosted in Australia that have been compromised. In each case pages on the site have been modified by the appending of an obfuscated JavaScript, characterized by the use of a function of name 'makemelaugh'. Compromised pages are proactively detected by Sophos as Mal/ObfJS-A.

<script language=Javascript>
function makemelaugh(x){var l=x.length,b=1024,i,j,r,p=0,
s=0,w=0,t=Array(63,1,20,2,3,27 <snip> }

The script serves the usual purpose - writing an additional HTML iframe tag to the page in order to load malicious content when a victim browses the compromised site. Aside from detecting compromised pages, all the sites referenced in the malicious iframe tags are currently known and classified as high risk by Sophos.

As is often the case, these sites are set up specifically for this purpose, and do not host any legitimate content. Viewing the root of one such domain, you are presented with a very familiar placeholder page:

Placeholder page at root of domain

Users surfing the web tend to place implicit trust in the sites they browse. The reality is that by browsing a site, you are exposing yourself to a certain amount of risk, and placing some trust in the security of that site. Careful selection of operating system, browser, browser configuration and the like is absolutely essential.

You might like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Fraser is one of the Principal Virus Researchers in SophosLabs. He has been working for Sophos since 2006, and his main interest is in web related threats.