Two different pieces of malware have infected many web servers in recent days.
One infected tens of thousands of websites belonging to Fortune 500 corporations, state government agencies and school. The hackers were able to breach the sites by exploiting un-patched SQL injection vulnerabilities that resided on Microsoft IIS server. The injections included javascript that redirected end users to a Chinese site, which then attempted to exploit multiple vulnerabilities to install key-logging software that stole passwords for various online games. Among the sites affected were Boston University, security provider Computer Associates, and agencies from the state of Virginia and the city of Cleveland.
That one’s easily caught. More tricky, and with researchers puzzled as to how exactly it operates, another has infected thousands of ‘mom-and-pop’ apache servers.
Visitors receive a javascript file with a randomly generated name that changes each time a new person visits the site. IP’s are remembered and returning visitors receive nothing. The constant flux makes it difficult for researchers to access the script responsible for delivering the payload or running Google searches that might provide a more comprehensive list of other sites that might be affected.
According to The Register, the script looks for various vulnerabilities specific to the visiting OS, and when it finds one pulls a .Mov file from the domain dedicated.abac.net. That in turn invokes a file from bds.invitations.fr, which installs a backdoor on end users’ machines. Victims are unlikely to know they’ve been infected because the installation is clear and seamless, and the malware uses few PC resources. At last check, only three of 33 antivirus programs detected the malware, which appears to be a derivative of the Rbot Trojan.
Some say that it is a variation of JS_IESLICE.AQ . Windows users can look for a file called mosvs8.exe to see if they’ve been infected.