SophosLabs has been tracking an infection of Mal/Iframe-AL on Seagate’s blog since late February.
SophosLabs informed Seagate of the issue back in February, but at the time of writing the site remains infected.
Two weeks ago, Fraser Howard reported how rogue Apache modules were pushing iFrame injections with the intention of driving traffic to the notorious Blackhole exploit kit.
SophosLabs has seen countless victims of this attack, with Mal/Iframe-AL remaining the most prevalent of the web threats encountered.
Seagate is just one of the high profile examples of a site that has been hit.
It would be fair to say that many companies are struggling to clean up from these attacks.
I suspect that many webmasters fail to see the problem themselves and dismiss abuse reports as a result. Which is understandable, as reproducing the problem can certainly be tricky.
It would seem that certain checks are done by the malicious Apache module, meaning that the malicious iFrame is only injected into outbound HTML/JS content when certain conditions are met.
As you can see, this copy of the legitimate
jquery.js library has been modified to include the malicious iFrame (which has been prepended to the clean code in a similar fashion to what we described in a previous article).
Looking for assistance in cleaning up an affected server?
A recent blog by Google’s security team offers some educational tools for webmasters who want to learn more about how to protect and clean-up their servers.
Here’s a video that Google produced offering advice for compromised websites.
In addition, IT system administrators may want to check out our free technical paper about “Securing websites”, which discusses common ways web servers are attacked and the various ways that they can be protected.
If Seagate would like a packet capture (PCAP) showing the infection, we will happily provide one.
2 comments on “Seagate’s blog pushes malware on unsuspecting visitors via rogue Apache modules”
Question: When Sophos notified Seagate of the issue in February, did Seagate provide an explicit acknowledgment that they received and understood the message?
The reason I ask is because it seems unconscionable to me that Seagate could leave such a problem in place for so long. So my first inclination is to wonder whether they actually understood the message. But if they did, NOT fixing it pronto seems irresponsible…and inexcusable.
Back in 80's, shortly after St. Sinclair launched his first PC ZX80, there was a flood of small companies trying to take the share of the explosive growth of the market, and the practice was (lowering the cost) to leave to customers detection of the faulty items avoiding the cost of the quality control. This logic and practice continues to the present times, including hardware (outsourced to China) and software.