The Latest in IT Security

A Look at the Hack-attack


The big story yesterday (9/26/2011) was getting hacked, and serving up malicious JavaScript in its pages. The JavaScript created an invisible iFrame that linked to a drive-by-download attack hosted on malicious servers — an attack with a poorly detected payload. In related news, there were also reports that “root” access to had been put up for sale for $3000 on a Russian cybercrime forum. Given the timing of the events, it’s easy to conclude that the seller found a buyer…

It’s probably not surprising, given the scale of the attack, to learn that the traffic from was being routed into a large Malware Delivery Network, one tracked by WebPulse. As such, while our customers were safe, it’s worth examining what the logs can tell us about the attack.

For this particular malnet, while some of its components have been around for many months, the actual exploit and payload servers have a much shorter lifespan. In this attack, for example, the attack host was a junk domain named It showed up as one in a long line of malicious sites on a server that we had flagged as a malware host when it showed up a few days ago (9/22/2011). In the five days that it’s been in use, our logs show 81 different hosts there: in addition to several on, there are hosts on .info, .ms, .in, and .ai, among others.

To sum up, it looks like no special infrastructure was created to handle the traffic generated by the hidden iFrames on As newsworthy as this attack was, it was simply “Yet Another Traffic Driver” for a well established malnet; one that continues to go about its business today.

It was also interesting to look at some of the URLs we saw in our logs as referrers, as browsers attempted to reach the malnet:

screenshot of URLs from our logs

This contributed to the main topic of discussion on the Blue Coat malware team: the price paid for access to If root access was indeed purchased in order to enable this attack, why would a Bad Guy pay so much [$3K sounds like a lot to us, anyway] for something that would only be active for a short period of time? Here are some theories:

  • Consider the type of traffic they were buying: It’s reasonable to assume that frequent users of are DBAs, Engineers, and Web Developers, and other technical folks (as the urls above indicate). Many of these people would presumably have logins to databases (and Web sites). The malware, at some point, could scour the victim’s computer for files with database credentials and locations. This opens up a wealth of potentially sensitive information and the ability to compromise additional systems.
  • Such tech-savvy users are probably more likely to use online banking, and possibly saving up (or trying to free up credit) for that next got-to-have-gizmo. Ripe targets for banking trojans.
  • This is a high-traffic site (we saw estimates in the range of 400K visitors per day), so the sheer number of visitors could be worth it by itself.

While this hack is unfortunate news for the admins of [and the non-WebPulse-using visitors], it also provides additional evidence that the Bad Guys do not suddenly appear out the woodwork to launch large-scale attacks. Their infrastructure is already in place, and running 24/7 in their daily efforts to infect new victims. By focusing on tracking malnet infrastructure, WebPulse protects its users independently of the traffic-driving method du jour.


P.S. Tim really deserves 95% of the credit for this post, but the new blog editor only lets me credit him as a co-author. Hopefully we can get that fixed… –C.L.

Leave a reply



Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...



Latest Comments