Advertisement
Around 165,000 Web sites have been compromised in recent weeks, indicating a
mass outbreak in the use of malicious iFrames to attack Internet
users.
Just last week the input fields of several popular Web sites have
been exploited to deliver iFrame attacks on potentially millions of visitors. By
inserting HTML code into the search fields of the affected sites, the attackers
have been able to launch iFrames which redirect users to Web sites hosting
malware.
The attacks have targeted visitors to tech publication
Wired.com, security firm Trend Micro and CNET Networks' own ZDNet Asia,
according to security researcher Dancho Danchev.
By exploiting flaws in
Web applications on the client side, such as RealPlayer and other lesser known
media players, the attackers are able to push browsers to sites that host
malicious content.
Similar attacks on PHP bulletin boards (PHPbb) have
also exploded, according to security researchers at McAfee Avertlabs. Over the
past week 200,000 PHPbb Web pages have been compromised, which McAfee
researchers believes to be similar to the Santy worm attacks of 2004.
In
2004, Google managed to put a halt to the Santy worm--malware which searched
Google for Web sites that used a vulnerable version of the phpBB bulletin board
software. Once the worm had infected one PHP bulletin board, it then used it as
a launching pad to infect other vulnerable software.
"With the
exploitation of PHP, we're not sure exactly what method may have been used, but
we suspect it could be a SQL injection attack," senior McAfee security
researcher, Nishad Herath, told ZDNet Asia's sister site ZDNet
Australia.
In just one hour last Friday afternoon, the number of PHPbb
infections increased from 11,900 to 28,600 pages, Herath
added.
"Depending on the capabilities of the Web server that is
hacked--in terms of the level of access an attacker has [in order] to modify the
content--the payload seems to differ. Sometimes it's just a Java script and
others it's a malicious iFrame which hosts other malicious content," he
said.
Security experts believe that preventing attackers from using
malicious iFrames and PHPbb is a matter of validating input fields, for example,
by making sure fields can only contain alphanumeric characters.
As well
as preventing malicious iFrames, validating input fields could block complex
phishing scams which manipulate Web pages to trick visitors into divulging
personal information, according to Danny Allan, U.S. director of security
research at IBM Rational Software. Ninety percent of all phishing could be
prevented if this process was done correctly, he said.
The fact that a
Web server does not need to be fully compromised to be harmful to site visitors
is also important, Sophos's chief technology officer, Paul Ducklin told ZDNet
Australia--only a single line of HTML code is necessary to make the exploit
work.
"People think the only way to threaten others is if malware infects
the Web server in first place, but the bad guys don't need an active process on
your computer if they can get static Web pages," Ducklin told ZDNet
Australia.
"The vast majority of affected Web pages are statically
infected, so you're not actually dealing with active processes."
Because
most malware is developed for Microsoft Windows while most Web servers are Linux
machines running Apache, Web administrators mistakenly believe that this
protects their servers and by default their site's visitors, said
Ducklin.
Sophos's 2007 research also shows that 53 percent of all malware
used malicious iFrames to exploit computer systems. The second most popular
method was using hidden Java script, with nine percent.
Google's own
researchers have also blamed the 300 percent rise in sites delivering drive-by
downloads on poor security practices of Web administrators.
Submit
your Newsnews@webhostdir.comSource: www.webhostdir.com 
