Sunday, March 16, 2008

Security Vendor fall to a Web attack

TrendMicro was a victim of a recent Web attack

According to InfoWorld Trend Micro removed the infected pages from its Web site. While the attack is unfortunate for Trend Micro at least it had company.

McAfee says almost 200,000 Web pages have been compromised in a little more than a week.


Here’s what McAfee had to say:

The attack seems to have started more than a week ago, and nearly 200,000 web pages have been found to be compromised, most of which are running phpBB. This contrasts yesterday’s attack in that the vast majority of those were active server pages (.ASP). The ASP attacks are different than the phpBB ones in that the payload and method are quite different. Various exploits are used in the ASP attacks, where the phpBB ones rely on social engineering. phpBB mass hacks have occurred in the past, including those doneby the Perl/Santy.worm back in 2004.
McAfee has a handy video of the attack that’s worth a look.

McAfee
was following up an attack detailed on Wednesday that infected 10,000 pages. The Wednesday attack involved an “injection of script into valid web page to include a reference to a malicious .JS file (sometimes in the BODY, other times in the TITLE section). The .JS file uses script to write an IFRAME, which loads an HTML file that attempts to exploit several vulnerabilities.”

Not surprisingly, a lot of those vulnerabilities were ActiveX controls.

No comments: