Seagate's blog pushes malware on unsuspecting visitors via rogue Apache modules

Filed Under: Featured, Malware, Security threats, SophosLabs, Vulnerability, Web Browsers

Seagate's infected web serverSophosLabs has been tracking an infection of Mal/Iframe-AL on Seagate's blog since late February.

SophosLabs informed Seagate of the issue back in February, but at the time of writing the site remains infected.

Two weeks ago, Fraser Howard reported how rogue Apache modules were pushing iFrame injections with the intention of driving traffic to the notorious Blackhole exploit kit.

SophosLabs has seen countless victims of this attack, with Mal/Iframe-AL remaining the most prevalent of the web threats encountered.

Seagate is just one of the high profile examples of a site that has been hit.

Seagate's blog

It would be fair to say that many companies are struggling to clean up from these attacks.

Detection of malware on the Seagate website

I suspect that many webmasters fail to see the problem themselves and dismiss abuse reports as a result. Which is understandable, as reproducing the problem can certainly be tricky.

It would seem that certain checks are done by the malicious Apache module, meaning that the malicious iFrame is only injected into outbound HTML/JS content when certain conditions are met.

Snippet of JS showing injected iFrame

As you can see, this copy of the legitimate jquery.js library has been modified to include the malicious iFrame (which has been prepended to the clean code in a similar fashion to what we described in a previous article).

Looking for assistance in cleaning up an affected server?

A recent blog by Google's security team offers some educational tools for webmasters who want to learn more about how to protect and clean-up their servers.

Here's a video that Google produced offering advice for compromised websites.

In addition, IT system administrators may want to check out our free technical paper about "Securing websites", which discusses common ways web servers are attacked and the various ways that they can be protected.

If Seagate would like a packet capture (PCAP) showing the infection, we will happily provide one.

, , , , ,

You might like

2 Responses to Seagate's blog pushes malware on unsuspecting visitors via rogue Apache modules

  1. Nigel · 566 days ago

    Question: When Sophos notified Seagate of the issue in February, did Seagate provide an explicit acknowledgment that they received and understood the message?

    The reason I ask is because it seems unconscionable to me that Seagate could leave such a problem in place for so long. So my first inclination is to wonder whether they actually understood the message. But if they did, NOT fixing it pronto seems irresponsible...and inexcusable.

  2. Mosor · 566 days ago

    Back in 80's, shortly after St. Sinclair launched his first PC ZX80, there was a flood of small companies trying to take the share of the explosive growth of the market, and the practice was (lowering the cost) to leave to customers detection of the faulty items avoiding the cost of the quality control. This logic and practice continues to the present times, including hardware (outsourced to China) and software.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul O Baccas (aka pob) joined Sophos in 1997 after studying Engineering Science at Oxford University. After nearly 16 years, he has left Sophos to pastures new and will be writing as an independent malware researcher. Paul has: published several papers, presented at several Virus Bulletins and was a technical editor for "AVIEN Malware Defense Guide". He has contributed to Virus Bulletin and is a frequent contributor to the NakedSecurity blog.