Another widespread site defacement attack. Leading nowhere?

Earlier this morning, I started to see a rise in the volume of Mal/Iframe-Gen detections. Digging further, I discovered numerous legitimate sites that had been freshly hacked, in order to redirect users to further malware.

As you can see from the image below, there has been something of a surge in Mal/Iframe-Gen detections since approximately 9am (UTC+1) this morning:

All the affected sites were injected with malicious JavaScript, heavily obfuscated in an attempt to evade detection (as we expect nowadays):

Despite the obfuscation, Sophos products proactively block these malicious scripts as Mal/Iframe-Gen. As suggested from the threat name, the payload of the injected script is to write an iframe to the page:

The iframe points to what appears to be a ‘middleman’ server, used to bounce the traffic elsewhere. This is commonly known as a Traffic Direction System (TDS). The TDS server is under the control of the attackers, enabling them to configure it to redirect user traffic to wherever required.

Earlier this morning, when I first spotted this attack, the iframe traffic was all redirected to a page on a freshly registered domain (hosted in Germany). However, the page was unavailable, with all requests getting a 404 error. This was a little surprising given that the attack was new (you expect 404s for old, stale attacks where the compromised sites persist long after the target payload servers have been shut down). Perhaps this was deliberate, the attackers waiting for sufficient user traffic before redirecting it to an active payload?

Sure enough, later in the day, the TDS server was updated to redirect the traffic to a new destination. At the time of writing it is redirecting the traffic to a Blackhole exploit pack site, where the victim is bombarded with the usual Flash, Java and PDF exploits.

The illustration below gives an overview of this attack, and the role that the TDS server plays in it.

This attack provides us with a perfect illustration of how user traffic is a commodity. Once they have injected numerous sites to redirect to their TDS, the attacker can essentially sell that user traffic to interested parties, willing to pay for victims to hit their exploit sites.

As ever, protection from this form of attack consists of several components:

  • detection of the malicious redirects injected into the legitimate sites (in this case, proactive detection as Mal/Iframe-Gen).
  • URL filtering to block requests to the TDS. Thus far, a few different servers are being used in these attacks.
  • URL filtering to block requests to the final destination servers.
  • detection of the exploit site itself (Mal/ExpJS-N) and the various malicious files it uses.
  • detection of the final payload (which will vary as the final destination server changes).
  • if all else has failed, runtime protection (HIPs) to catch the malicious payload running on the victim’s machine.

SophosLabs will continue monitoring this, and other, attacks to ensure that as the various components change, we continue to have protection in place at as many layers as possible.