Mal/ObfJS-C: Where? When?

For the past 7 weeks SophosLabs have been tracking an attack targeting sites all over the world. In the attack, legitimate sites have been compromised so that they serve up a malicious JavaScript (Mal/ObfJS-C). In this post, I present a brief summary of the data obtained thus far.

Since May 1st, we have found 3,896 URLs that have been compromised, over 1,627 different domains. The subject matter of the hacked sites covers as wide a range of topics as you can imagine. Clothes boutiques, driving instruction, nude beauty pageants, celebrity gossip, hypnotherapy through to handmade musical instruments. Most worryingly, there are some fairly popular sites within the list, including a fairly large bank (this site was hacked last week). Taking a deeper look at the data, we can gather further information about this campaign.

As you can see from the following graph (note the log scale on the y-axis), the vast bulk of the compromised pages are being served up from sites in the United States, closely followed by Brazil, Canada and the UK.

Countries hosting Mal/ObfJS-C

It should be noted this data is based on the country in which the host web server resides – it does not indicate the locale of the site itself. For example, several ‘’ domains were found to be hosted within the US.

To get a true impression of the scale of such an attack, looking at domain names alone is insufficient. We have encountered previous cases where initial data based on a plethora of compromised domains has suggested a large campaign, only to find that they all were as the result of the hacking of a handful of boxes within a single service provider (Troj/EncIfr-A for example). Looking at this data from an IP perspective reveals 324 unique IP addresses, the bulk of which are hosting a low number of compromised sites.

Number of compromised domains per server IP

As might be expected, we can see that in several cases, once the hackers have managed to hack a server, they have compromised several sites hosted there.

Probing further, we can try to identify the operating system and web server application. As you can see below, the servers targeted in this attack have almost exclusively been running some flavour of Apache on Unix.

Web server types hosting Mal/ObfJS-C

Though we cannot deduce the method employed by the hackers to compromise the servers, such data is nonetheless interesting. Gathering and analysis of such data provides us with valuable information to assist in the fight against web attacks. As ever, it is imperative that web servers are maintained and patched to the latest level. If you outsource the responsibility of this to your ISP, ensure they follow good practice. Remember, their failure could lead to your loss of credibility if it is your site that gets hacked into a malicious drive-by.