Nine Ball attack compromises thousand’s of site

Websense has been monitoring a massive online attack since June 03, which, to date, has compromised over 40,000 websites

. The attack redirects users to a site hosting Malware (ninetoraq.in), earning it the name Nine-Ball.

Websense said “This is a massive injection attack on 40,000 legitimate sites online. That alone is serious, but then you add the goal of the attack and that is worse. The criminals behind the Nine-Ball attack are targeting end users via “a multi-level redirection attack, ending in a series of drive-by exploits that if successful install a Trojan downloader on the user’s machine.”

“If a user visits one of the infected sites, they are redirected through a series of different sites owned by the attacker and brought to the final landing page containing the exploit code,” said Websense in its alert.

“If a user visits one of the infected sites, they are redirected through a series of different sites owned by the attacker and brought to the final landing containing the exploit code,” said Websense in its alert.

“The final landing page records the visitor’s IP address. When visited for the first time, the user is directed to the exploit payload site. But when visited again from the same IP address, the user is directed to the benign site of ask.com,” it added.

“After redirection, the exploit payload site returns highly obfuscate malicious code. The malicious code attempts to exploit MS06-014 (targeting MDAC) and CVE-2006-5820 (targeting AOL SuperBuddy), as well as employing exploits targeting Acrobat Reader and QuickTime,” the alert concludes.

There are a number of security failures that can help Nine Ball to compromise so many Web sites, including SQL-injection attacks on susceptible Web sites as well as bots that have stolen user passwords and logins for administrators of Web sites.

The Nine Ball exploit is distinct from two other mass-compromise methods observed of late — Beladen and Gumblar